[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#913595: marked as done (CVE-2018-19120: kio-extras: HTML Thumbnailer automatic remote file access)

Your message dated Mon, 12 Nov 2018 22:50:02 +0000
with message-id <E1gML1u-0003oN-E3@fasolo.debian.org>
and subject line Bug#913595: fixed in kio-extras 4:18.08.3-1
has caused the Debian Bug report #913595,
regarding CVE-2018-19120: kio-extras: HTML Thumbnailer automatic remote file access
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
913595: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913595
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: kio-extras
Version: 4:18.08.1-1
Severity: important
Tags: security

Dear Maintainer,

"KDE Project Security Advisory: kio-extras: HTML Thumbnailer automatic
remote file access" (Message-ID: <5460566.RsyoOK3lV2@xps>, for some reason
the mailing list archives are for subscribers only) mentions that
'htmlthumbnail.so' accesses content from remote files in HTML files to
thumbnail. It has been assigned CVE number CVE-2018-19120.

KDE developers removed the HTML thumbnailer for KDE Applications 18.12.

Work-around is to remove

/usr/lib/x86_64-linux-gnu/qt5/plugins/htmlthumbnail.so

The announcement should be accessible to the public on

https://www.kde.org/announcements/

soon.

Thanks,
Martin

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-tp520 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages kio-extras depends on:
ii  kio                      5.51.0-1
ii  kio-extras-data          4:18.08.1-1
ii  libc6                    2.27-8
ii  libgcc1                  1:8.2.0-9
ii  libkf5activities5        5.51.0-1
ii  libkf5archive5           5.51.0-1
ii  libkf5bookmarks5         5.51.0-1
ii  libkf5codecs5            5.51.0-1
ii  libkf5configcore5        5.51.0-1
ii  libkf5configgui5         5.51.0-1
ii  libkf5configwidgets5     5.51.0-1
ii  libkf5coreaddons5        5.51.0-1
ii  libkf5dbusaddons5        5.51.0-1
ii  libkf5dnssd5             5.51.0-1
ii  libkf5guiaddons5         5.51.0-1
ii  libkf5i18n5              5.51.0-1
ii  libkf5iconthemes5        5.51.0-1
ii  libkf5khtml5             5.51.0-1
ii  libkf5kiocore5           5.51.0-1
ii  libkf5kiofilewidgets5    5.51.0-1
ii  libkf5kiowidgets5        5.51.0-1
ii  libkf5parts5             5.51.0-1
ii  libkf5pty5               5.51.0-1
ii  libkf5service-bin        5.51.0-1
ii  libkf5service5           5.51.0-1
ii  libkf5solid5             5.51.0-1
ii  libkf5xmlgui5            5.51.0-1
ii  libmtp9                  1.1.13-1
ii  libopenexr23             2.2.1-4
ii  libphonon4qt5-4          4:4.10.1-1
ii  libqt5core5a             5.11.2+dfsg-4
ii  libqt5dbus5              5.11.2+dfsg-4
ii  libqt5gui5               5.11.2+dfsg-4
ii  libqt5network5           5.11.2+dfsg-4
ii  libqt5sql5               5.11.2+dfsg-4
ii  libqt5svg5               5.11.2-2
ii  libqt5webenginewidgets5  5.11.2+dfsg-2
ii  libqt5widgets5           5.11.2+dfsg-4
ii  libqt5xml5               5.11.2+dfsg-4
ii  libsmbclient             2:4.9.1+dfsg-2
ii  libssh-4                 0.8.4-3
ii  libstdc++6               8.2.0-9
ii  libtag1v5                1.11.1+dfsg.1-0.2+b1
ii  phonon4qt5               4:4.10.1-1

kio-extras recommends no packages.

kio-extras suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: missing file /usr/lib/x86_64-linux-gnu/qt5/plugins/htmlthumbnail.so (from kio-extras package)

--- End Message ---
--- Begin Message --- 
Source: kio-extras
Source-Version: 4:18.08.3-1

We believe that the bug you reported is fixed in the latest version of
kio-extras, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 913595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated kio-extras package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 12 Nov 2018 23:27:05 +0100
Source: kio-extras
Binary: kio-extras kio-extras-data
Architecture: source
Version: 4:18.08.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Pino Toscano <pino@debian.org>
Description:
 kio-extras - Extra functionality for kioslaves.
 kio-extras-data - Extra functionality for kioslaves data files.
Closes: 913595
Changes:
 kio-extras (4:18.08.3-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release.
   * Disable the HTML thumbnailer: (CVE-2018-19120) (Closes: #913595)
     - remove the qtwebengine5-dev build dependency
Checksums-Sha1:
 37057c0953edf643d191031b93d90b443f9159a3 3139 kio-extras_18.08.3-1.dsc
 95df9a451ea50563cc9279db985285e7b513c7c2 552044 kio-extras_18.08.3.orig.tar.xz
 77f8db1aade408cf138cae3c121fb149eed65858 774 kio-extras_18.08.3.orig.tar.xz.asc
 c07bb482f2d748cdef9f183d1f27f5b8e67d40ab 13656 kio-extras_18.08.3-1.debian.tar.xz
 17eeada9a352619d8b317c8fb57a458ed8cad9ae 20353 kio-extras_18.08.3-1_source.buildinfo
Checksums-Sha256:
 7b5693535166ff3b271864ed305e3fdaf9a23910496dd09e257e9a43f1918c6f 3139 kio-extras_18.08.3-1.dsc
 450d69b16a873da51190c9397b2b0ecb08bc0dcae0d2a07f7ab1d2efcd02c280 552044 kio-extras_18.08.3.orig.tar.xz
 bf3825e7254d8534e234005dc571b1d4796ef860f1c01936a4fd142c4d59781a 774 kio-extras_18.08.3.orig.tar.xz.asc
 92e754e1a1968b0686361871b14a61fcf3ace93ada8e7865f91db6151230799b 13656 kio-extras_18.08.3-1.debian.tar.xz
 a58c84ee4c1f5dca678c040c1c55445def9c959efbf1ae1827b7e149c15b3e86 20353 kio-extras_18.08.3-1_source.buildinfo
Files:
 c35e1753d595a90b5de3ad21c00b8324 3139 kde optional kio-extras_18.08.3-1.dsc
 2a34d890b3b6d6ea52ae9ac8023816fa 552044 kde optional kio-extras_18.08.3.orig.tar.xz
 0680f6f7f1b0c399cef82a4cab9acc7a 774 kde optional kio-extras_18.08.3.orig.tar.xz.asc
 d16d8785703fee243382d613b330a9ed 13656 kde optional kio-extras_18.08.3-1.debian.tar.xz
 52e5cd90123233c64bd3eb1dc38e8dc0 20353 kde optional kio-extras_18.08.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAlvp/nUACgkQLRkciEOx
P02gRQ//dDfW/z5mlMMVwn8Hsz/MAx5Hopmtb8mJEVS490+eJToC/acx4BoqoQAM
GcixrSmkXcDf77yB7ZxGS8VI7r8kQ0b+TRenCUvd1ICEug9eWfE7b//ywEBrQPCv
m4OK1dEQBvizPwoPE59MHrcMVWolt/092U3eaokNJcVy5625bQdSq9KXkVf0rTuY
ibG1TsH9j4urmyXWCfkkE4GqlBQsia57qygccSpGLRvaPfJ/tf+sG3bZ+i/+NmCZ
MNH1IVpUbHtn2umFSvmnwB3ciPJMiBNKYCuZ4hAevkXetb73M6gmL+MJu/Xd6fFn
YwyB1p2lnsF6tzV7XvSBvvdR1d+gnyYhCVA25mcdahfEiSD2nMXNWYNSjUHaY/GE
MEaEPjcULfhxuivzkT7tPaocy6/CHNCigR/RPzCvFxvwp5yZmMRyMaH86M4kFt+K
IM4t8FlefDxVf43N3u1EPzhbK2weQpHUS7br/xYpXH4PML+3ONGSimxwOCcxooSZ
7nxjbeUPXK5klRUualn7uvWiTQVY78Hpd/DD69G+Bw/CBUDrZ9jANLqSEA07Chyz
hub9ax4Y8Mp1iIyWtlKh8xPD/6vZoJU8Ghu3dDi0qikqSaH+MobJQ+bK52o9SKM+
9NTfJYzIRm3IWzRA8aH/vefN++OSiuqDGBFGe/aovmlfq60VKbs=
=g8IV
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: