It was reported [1],[2] that kdepim enabled Java, JavaScript, and plugin support by default. This could allow for the execution of Java/JavaScript or the loading of remote images in KMail's rendering of HTML email. This has been fixed upstream [3]. The code in question looks as though it was only introduced in kdepim 4.4, which means that Red Hat Enterprise Linux 6 and earlier are not affected by this. No CVE has been assigned as of yet. [1] http://www.openwall.com/lists/oss-security/2012/07/13/3 [2] https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1022690 [3] http://commits.kde.org/kdepim/dbb2f72f4745e00f53031965a9c10b2d6862bd54
Created kdepim tracking bugs for this issue Affects: fedora-all [bug 840627]
I've asked upstream for confirmation as to when this was introduced: http://www.openwall.com/lists/oss-security/2012/07/16/3
this issue was committed in december 2000 https://projects.kde.org/projects/kde/kdepim/repository/revisions/a15bbe697a6f139de014309008bb23f2eb8c450c but it's first included in 4.6.0 stable release, so this issue is not affected in rhel =< 6 but in f16,f17 and rawhide.
it's in update-testing now. https://admin.fedoraproject.org/updates/FEDORA-2012-10411/kdepim-4.8.4-4.fc16 https://admin.fedoraproject.org/updates/FEDORA-2012-10410/kdepim-4.8.4-4.fc17
That's right, according to upstream's response, this was added in 4.6 or 4.7: http://www.openwall.com/lists/oss-security/2012/07/17/4 Statement: Not vulnerable. This issue did not affect the versions of kdepim as shipped with Red Hat Enterprise Linux 5 or 6.
This was assigned the name CVE-2012-3413: http://www.openwall.com/lists/oss-security/2012/07/17/11
kdepim-4.8.4-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
kdepim-4.8.4-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.