CVE-2016-7966 Informations got updated

To: debian-qt-kde@lists.debian.org, team <team@security.debian.org>
Subject: CVE-2016-7966 Informations got updated
From: Sandro Knauß <bugs@sandroknauss.de>
Date: Wed, 02 Nov 2016 14:02:37 +0100
Message-id: <[🔎] 2547362.LbT2HLGQIC@tuxin>
In-reply-to: <[🔎] 1881234.2pegDdo12o@merkaba>
References: <[🔎] 1881234.2pegDdo12o@merkaba>

Hey,

nice roundtrip :) Actually this additional updates for CVE-2016-7966 were 
introduced by me, when I was fixing the Debian packages. 

This means the packages in Debian have the additional patches backported 
already.

Regards,

sandro

--
Am Mittwoch, 2. November 2016, 10:14:06 CET schrieb Martin Steigerwald:
> Hello!
> 
> For your information, it seems that a complete fix for the security
> vulnerability needs additional patches.
> 
> Thank you,
> Martin
> 
> ----------  Weitergeleitete Nachricht  ----------
> 
> Betreff: Re: KDE Project Security Advisory: KMail: HTML injection in plain
> text viewer
> Datum: Dienstag, 1. November 2016, 23:42:54 CET
> Von: Albert Astals Cid <aacid@kde.org>
> An: KDE announce list <kde-announce@kde.org>
> 
> Updated Information (1 November 2016)
> =====================================
> 
> The above mentioned patches are not enough to fix the vulnerability
> completely. This wasn't visible, because the patches for CVE-2016-7967 and
> CVE-2016-7968 made sure,
> that this vulnerability can't harm anymore.
> It only became visible, that this vulnerability isn't closed completely for
> systems,
> that are only affected by this CVE.
> 
> For KCoreAddons you need:
>  https://quickgit.kde.org/?
> p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12
> for applying this patch you may also need to cherry-pick:
>  https://quickgit.kde.org/?
> p=kcoreaddons.git&a=commitdiff&h=1be7272373d60e4234f1a5584e676b579302b053
> (these two are released in KCoreAddons KDE Frameworks 5.27.0)
> 
> additionally git commits, to close completely:
>  https://quickgit.kde.org/?
> p=kcoreaddons.git&a=commitdiff&h=5e13d2439dbf540fdc840f0b0ab5b3ebf6642c6a
> not needed in the strong sense, but this will give you the additional
> automatic tests, to test if this CVE is closed:
>  https://quickgit.kde.org/?
> p=kcoreaddons.git&a=commitdiff&h=a06cef31cc4c908bc9b76bd9d103fe9c60e0953f
> (will be part of KCoreAddons KDE Frameworks 5.28.0)
> 
> For kdepimlibs 4.14:
>  https://quickgit.kde.org/?
> p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
>  https://quickgit.kde.org/?
> p=kdepimlibs.git&a=commitdiff&h=8bbe1bd3fdc55f609340edc667ff154b3d2aaab1
> kdepimlibs is at end of life, so no further release is planned.
> 
> 
> El dijous, 6 d’octubre de 2016, a les 19:44:33 CET, Albert Astals Cid va
> 
> escriure:
> > KDE Project Security Advisory
> > =============================
> > 
> > Title:          KMail: HTML injection in plain text viewer
> > Risk Rating:    Important
> > CVE:            CVE-2016-7966
> > Platforms:      All
> > Versions:       kmail >= 4.4.0
> > Author:         Andre Heinecke <aheinecke@intevation.de>
> > Date:           6 October 2016
> > 
> > Overview
> > ========
> > 
> > Through a malicious URL that contained a quote character it
> > was possible to inject HTML code in KMail's plain text viewer.
> > Due to the parser used on the URL it was not possible to include
> > the equal sign (=) or a space into the injected HTML, which greatly
> > reduces the available HTML functionality. Although it is possible
> > to include an HTML comment indicator to hide content.
> > 
> > Impact
> > ======
> > 
> > An unauthenticated attacker can send out mails with malicious content
> > that breaks KMail's plain text HTML escape logic. Due to the limitations
> > of the provided HTML in itself it might not be serious. But as a way
> > to break out of KMail's restricted Plain text mode this might open
> > the way to the exploitation of other vulnerabilities in the HTML viewer
> > code, which is disabled by default.
> > 
> > Workaround
> > ==========
> > 
> > None.
> > 
> > Solution
> > ========
> > 
> > For KDE Frameworks based releases of KMail apply the following patch to
> > kcoreaddons:
> > https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100
> > 49 8da38e4c5b4091a226dde12
> > 
> > For kdelibs4 based releases apply the following patch:
> > https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145a
> > b5 c8e2275d248f1a46a8d8cf
> > 
> > Credits
> > =======
> > 
> > Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
> > Intevation GmbH for analysing the problems and Laurent Montel for
> > fixing this issue.
> 
> -------------------------------------------------------------

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: CVE-2016-7966 Informations got updated
  - From: Martin Steigerwald <martin@lichtvoll.de>
- Re: CVE-2016-7966 Informations got updated
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Fwd: Re: KDE Project Security Advisory: KMail: HTML injection in plain text viewer
  - From: Martin Steigerwald <martin@lichtvoll.de>

Prev by Date: Bug#842920: Konsole's Plasma application menu behavior is erratic
Next by Date: Re: CVE-2016-7966 Informations got updated
Previous by thread: Fwd: Re: KDE Project Security Advisory: KMail: HTML injection in plain text viewer
Next by thread: Re: CVE-2016-7966 Informations got updated
Index(es):
- Date
- Thread