--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: CVE-2018-19120: kio-extras: HTML Thumbnailer automatic remote file access
- From: Martin Steigerwald <Martin@Lichtvoll.de>
- Date: Mon, 12 Nov 2018 20:50:25 +0100
- Message-id: <154205222592.28930.14136794497405301072.reportbug@merkaba.lichtvoll>
Package: kde-runtime
Version: 4:17.08.3-2
Severity: important
Tags: security
Dear Maintainer,
"KDE Project Security Advisory: kio-extras: HTML Thumbnailer automatic
remote file access" (Message-ID: <5460566.RsyoOK3lV2@xps>, for some reason
the mailing list archives are for subscribers only) mentions that
'htmlthumbnail.so' accesses content from remote files in HTML files to
thumbnail. It has been assigned CVE number CVE-2018-19120.
KDE developers removed the HTML thumbnailer for KDE Applications 18.12.
KDE advisory mentions kio-extras. I am not sure whether 'htmlthumbnail.so'
from KDE SC 4 in 'kde-runtime' is also affected.
If so, work-around is to remove
/usr/lib/kde4/htmlthumbnail.so
The announcement should be accessible to the public on
https://www.kde.org/announcements/
soon.
Thanks,
Martin
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-tp520 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages kde-runtime depends on:
ii drkonqi 5.13.4-1
ii kde-runtime-data 4:17.08.3-2
ii kdelibs5-plugins 4:4.14.38-2
ii libasound2 1.1.7-1
ii libattica0.4 0.4.2-2
ii libc6 2.27-8
ii libcanberra0 0.30-6
ii libexiv2-14 0.25-4
ii libgcc1 1:8.2.0-9
ii libgcrypt20 1.8.4-3
ii libgpgme++2v5 4:4.14.10-10
ii libgpgme11 1.12.0-4
ii libjpeg62-turbo 1:1.5.2-2+b1
ii libkactivities6 4:4.13.3-2
ii libkcmutils4 4:4.14.38-2
ii libkdeclarative5 4:4.14.38-2
ii libkdecore5 4:4.14.38-2
ii libkdesu5 4:4.14.38-2
ii libkdeui5 4:4.14.38-2
ii libkdewebkit5 4:4.14.38-2
ii libkdnssd4 4:4.14.38-2
ii libkemoticons4 4:4.14.38-2
ii libkfile4 4:4.14.38-2
ii libkhtml5 4:4.14.38-2
ii libkio5 4:4.14.38-2
ii libkmediaplayer4 4:4.14.38-2
ii libknewstuff3-4 4:4.14.38-2
ii libknotifyconfig4 4:4.14.38-2
ii libkparts4 4:4.14.38-2
ii libkpty4 4:4.14.38-2
ii libntrack-qt4-1 016-1.3
ii libopenexr23 2.2.1-4
ii libphonon4 4:4.10.1-1
ii libplasma3 4:4.14.38-2
ii libpulse-mainloop-glib0 12.2-2
ii libpulse0 12.2-2
ii libqt4-dbus 4:4.8.7+dfsg-17
ii libqt4-declarative 4:4.8.7+dfsg-17
ii libqt4-network 4:4.8.7+dfsg-17
ii libqt4-script 4:4.8.7+dfsg-17
ii libqt4-svg 4:4.8.7+dfsg-17
ii libqt4-xml 4:4.8.7+dfsg-17
ii libqtcore4 4:4.8.7+dfsg-17
ii libqtgui4 4:4.8.7+dfsg-17
ii libqtwebkit4 2.3.4.dfsg-10
ii libsmbclient 2:4.9.1+dfsg-2
ii libsolid4 4:4.14.38-2
ii libssh-gcrypt-4 0.8.4-3
ii libstdc++6 8.2.0-9
ii libwebp6 0.6.1-2
ii libx11-6 2:1.6.7-1
ii libxcursor1 1:1.1.15-1
ii oxygen-icon-theme 5:5.51.0-1
ii phonon 4:4.10.1-1
ii plasma-scriptengine-javascript 4:17.08.3-2
Versions of packages kde-runtime recommends:
ii icoutils 0.32.3-2
pn libcanberra-pulse | libcanberra-gstreamer <none>
ii sound-theme-freedesktop 0.8-2
ii udisks2 2.8.1-2
ii upower 0.99.9-1
Versions of packages kde-runtime suggests:
pn djvulibre-bin <none>
ii finger 0.17-15.1
-- no debconf information
-- debsums errors found:
debsums: missing file /usr/lib/kde4/htmlthumbnail.so (from kde-runtime package)
--- End Message ---