Bug#915039: CVE-2018-19516: HTML email can open browser window automatically

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#915039: CVE-2018-19516: HTML email can open browser window automatically
From: Felix Geyer <fgeyer@debian.org>
Date: Thu, 29 Nov 2018 19:12:08 +0100
Message-id: <[🔎] 154351512862.12117.2862106320665332519.reportbug@callisto.home.debfx.de>
Reply-to: Felix Geyer <fgeyer@debian.org>, 915039@bugs.debian.org

Source: kf5-messagelib
Version: 4:18.08.1-1
Severity: grave
Tags: upstream security

Hi,

KDE published the following security advisory (CVE-2018-19516):

> messagelib by default displays emails as plain text, but gives the user
> an option to "Prefer HTML to plain text" in the settings and if that option
> is not enabled there is way to enable HTML display when an email contains HTML.
>
> Some HTML emails can trick messagelib into opening a new browser window when
> displaying said email as HTML.
>
> This happens even if the option to allow the HTML emails to access
> remote servers is disabled in KMail settings.
>
> This means that the owners of the servers referred in the email can see
> in their access logs your IP address.

https://www.kde.org/info/security/advisory-20181128-1.txt

Cheers,
Felix

Reply to:

Prev by Date: [bts-link] source package src:qtbase-opensource-src
Next by Date: Bug#881333: tracking OpenGL support for specific boards
Previous by thread: [bts-link] source package src:qtbase-opensource-src
Next by thread: Bug#915076: plasma-discover: Segfaults when using menus while upgrading
Index(es):
- Date
- Thread