Bug 1382286 (CVE-2016-7966) - CVE-2016-7966 kdepim: HTML injection in plain text viewer of KMail
Summary: CVE-2016-7966 kdepim: HTML injection in plain text viewer of KMail
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-7966
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1382296 1382297 1382298 1382299
Blocks: 1382295
TreeView+ depends on / blocked
 
Reported: 2016-10-06 09:17 UTC by Adam Mariš
Modified: 2021-02-17 03:13 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-23 18:47:13 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-10-06 09:17:25 UTC
Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.

Affected versions: kmail >= 4.4.0

CVE assignment:

http://seclists.org/oss-sec/2016/q4/23

Upstream patch set for kdepimlibs:
* Backport avoid to transform as a url when we have a quote
https://cgit.kde.org/kdepimlibs.git/commit/?id=176fee25ca
* Backport show bad url text
https://cgit.kde.org/kdepimlibs.git/commit/?id=8bbe1bd3

External References:

https://www.kde.org/info/security/advisory-20161006-1.txt

Comment 1 Adam Mariš 2016-10-06 09:32:34 UTC
Created kdepim3 tracking bugs for this issue:

Affects: fedora-all [bug 1382297]
Affects: epel-7 [bug 1382299]

Comment 2 Adam Mariš 2016-10-06 09:32:43 UTC
Created kdepim tracking bugs for this issue:

Affects: fedora-all [bug 1382296]

Comment 3 Adam Mariš 2016-10-06 09:32:50 UTC
Created kdepim4 tracking bugs for this issue:

Affects: fedora-all [bug 1382298]

Comment 4 Than Ngo 2016-10-06 09:45:23 UTC
do we have any testcases to reproduce the issues?

Comment 5 Than Ngo 2016-10-17 14:54:01 UTC
(In reply to Adam Mariš from comment #3)
> Created kdepim4 tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1382298]

it's not effected in kdepim4 but in kdepimlibs. Could you please change it?
Thanks

Comment 6 Fedora Update System 2016-10-30 17:54:26 UTC
kdepim-16.08.2-1.fc24, kdepim-addons-16.08.2-1.fc24, kdepim-apps-libs-16.08.2-1.fc24, kdepim-runtime-16.08.2-1.fc24, kf5-akonadi-calendar-16.08.2-1.fc24, kf5-akonadi-contacts-16.08.2-1.fc24, kf5-akonadi-mime-16.08.2-1.fc24, kf5-akonadi-notes-16.08.2-1.fc24, kf5-akonadi-search-16.08.2-1.fc24, kf5-akonadi-server-16.08.2-1.fc24, kf5-calendarsupport-16.08.2-1.fc24, kf5-eventviews-16.08.2-1.fc24, kf5-gpgmepp-16.08.2-1.fc24, kf5-grantleetheme-16.08.2-1.fc24, kf5-incidenceeditor-16.08.2-1.fc24, kf5-kalarmcal-16.08.2-1.fc24, kf5-kblog-16.08.2-1.fc24, kf5-kcalendarcore-16.08.2-1.fc24, kf5-kcalendarutils-16.08.2-1.fc24, kf5-kcontacts-16.08.2-1.fc24, kf5-kdgantt2-16.08.2-1.fc24, kf5-kholidays-16.08.2-1.fc24, kf5-kidentitymanagement-16.08.2-1.fc24, kf5-kimap-16.08.2-1.fc24, kf5-kldap-16.08.2-1.fc24, kf5-kmailtransport-16.08.2-1.fc24, kf5-kmbox-16.08.2-1.fc24, kf5-kmime-16.08.2-1.fc24, kf5-kontactinterface-16.08.2-1.fc24, kf5-kpimtextedit-16.08.2-1.fc24, kf5-ktnef-16.08.2-1.fc24, kf5-libgravatar-16.08.2-1.fc24, kf5-libkdepim-16.08.2-1.fc24, kf5-libkleo-16.08.2-1.fc24, kf5-libksieve-16.08.2-1.fc24, kf5-mailcommon-16.08.2-1.fc24, kf5-mailimporter-16.08.2-1.fc24, kf5-messagelib-16.08.2-1.fc24, kf5-pimcommon-16.08.2-1.fc24, kf5-syndication-16.08.2-1.fc24, kleopatra-16.08.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Cedric Buissart 2017-03-24 10:38:57 UTC
Statement:

This issue did not affect the versions of kdepim as shipped with Red Hat Enterprise Linux 5, 6 or 7 as they did not include support for kmail, or are not shipped with vulnerable versions.


Note You need to log in before you can comment on or make changes to this bug.