Debian Bug report logs -
#913595
CVE-2018-19120: kio-extras: HTML Thumbnailer automatic remote file access
Reported by: Martin Steigerwald <Martin@Lichtvoll.de>
Date: Mon, 12 Nov 2018 19:51:01 UTC
Severity: important
Tags: security, upstream
Found in version kio-extras/4:18.08.1-1
Fixed in version kio-extras/4:18.08.3-1
Done: Pino Toscano <pino@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Martin@Lichtvoll.de, martin@lichtvoll.de, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#913595; Package kio-extras.
(Mon, 12 Nov 2018 19:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Martin Steigerwald <Martin@Lichtvoll.de>:
New Bug report received and forwarded. Copy sent to Martin@Lichtvoll.de, martin@lichtvoll.de, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Mon, 12 Nov 2018 19:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: kio-extras
Version: 4:18.08.1-1
Severity: important
Tags: security
Dear Maintainer,
"KDE Project Security Advisory: kio-extras: HTML Thumbnailer automatic
remote file access" (Message-ID: <5460566.RsyoOK3lV2@xps>, for some reason
the mailing list archives are for subscribers only) mentions that
'htmlthumbnail.so' accesses content from remote files in HTML files to
thumbnail. It has been assigned CVE number CVE-2018-19120.
KDE developers removed the HTML thumbnailer for KDE Applications 18.12.
Work-around is to remove
/usr/lib/x86_64-linux-gnu/qt5/plugins/htmlthumbnail.so
The announcement should be accessible to the public on
https://www.kde.org/announcements/
soon.
Thanks,
Martin
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-tp520 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages kio-extras depends on:
ii kio 5.51.0-1
ii kio-extras-data 4:18.08.1-1
ii libc6 2.27-8
ii libgcc1 1:8.2.0-9
ii libkf5activities5 5.51.0-1
ii libkf5archive5 5.51.0-1
ii libkf5bookmarks5 5.51.0-1
ii libkf5codecs5 5.51.0-1
ii libkf5configcore5 5.51.0-1
ii libkf5configgui5 5.51.0-1
ii libkf5configwidgets5 5.51.0-1
ii libkf5coreaddons5 5.51.0-1
ii libkf5dbusaddons5 5.51.0-1
ii libkf5dnssd5 5.51.0-1
ii libkf5guiaddons5 5.51.0-1
ii libkf5i18n5 5.51.0-1
ii libkf5iconthemes5 5.51.0-1
ii libkf5khtml5 5.51.0-1
ii libkf5kiocore5 5.51.0-1
ii libkf5kiofilewidgets5 5.51.0-1
ii libkf5kiowidgets5 5.51.0-1
ii libkf5parts5 5.51.0-1
ii libkf5pty5 5.51.0-1
ii libkf5service-bin 5.51.0-1
ii libkf5service5 5.51.0-1
ii libkf5solid5 5.51.0-1
ii libkf5xmlgui5 5.51.0-1
ii libmtp9 1.1.13-1
ii libopenexr23 2.2.1-4
ii libphonon4qt5-4 4:4.10.1-1
ii libqt5core5a 5.11.2+dfsg-4
ii libqt5dbus5 5.11.2+dfsg-4
ii libqt5gui5 5.11.2+dfsg-4
ii libqt5network5 5.11.2+dfsg-4
ii libqt5sql5 5.11.2+dfsg-4
ii libqt5svg5 5.11.2-2
ii libqt5webenginewidgets5 5.11.2+dfsg-2
ii libqt5widgets5 5.11.2+dfsg-4
ii libqt5xml5 5.11.2+dfsg-4
ii libsmbclient 2:4.9.1+dfsg-2
ii libssh-4 0.8.4-3
ii libstdc++6 8.2.0-9
ii libtag1v5 1.11.1+dfsg.1-0.2+b1
ii phonon4qt5 4:4.10.1-1
kio-extras recommends no packages.
kio-extras suggests no packages.
-- no debconf information
-- debsums errors found:
debsums: missing file /usr/lib/x86_64-linux-gnu/qt5/plugins/htmlthumbnail.so (from kio-extras package)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#913595; Package kio-extras.
(Mon, 12 Nov 2018 20:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Martin Steigerwald <martin@lichtvoll.de>:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Mon, 12 Nov 2018 20:06:02 GMT) (full text, mbox, link).
Message #10 received at 913595@bugs.debian.org (full text, mbox, reply):
It is not on the announcement page, but on the KDE security advisories
page:
https://www.kde.org/info/security/advisory-20181012-1.txt
Thanks,
--
Martin
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 12 Nov 2018 20:21:05 GMT) (full text, mbox, link).
Reply sent
to Pino Toscano <pino@debian.org>:
You have taken responsibility.
(Mon, 12 Nov 2018 22:51:13 GMT) (full text, mbox, link).
Notification sent
to Martin Steigerwald <Martin@Lichtvoll.de>:
Bug acknowledged by developer.
(Mon, 12 Nov 2018 22:51:13 GMT) (full text, mbox, link).
Message #17 received at 913595-close@bugs.debian.org (full text, mbox, reply):
Source: kio-extras
Source-Version: 4:18.08.3-1
We believe that the bug you reported is fixed in the latest version of
kio-extras, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 913595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pino Toscano <pino@debian.org> (supplier of updated kio-extras package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 Nov 2018 23:27:05 +0100
Source: kio-extras
Binary: kio-extras kio-extras-data
Architecture: source
Version: 4:18.08.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Pino Toscano <pino@debian.org>
Description:
kio-extras - Extra functionality for kioslaves.
kio-extras-data - Extra functionality for kioslaves data files.
Closes: 913595
Changes:
kio-extras (4:18.08.3-1) unstable; urgency=medium
.
* Team upload.
* New upstream release.
* Disable the HTML thumbnailer: (CVE-2018-19120) (Closes: #913595)
- remove the qtwebengine5-dev build dependency
Checksums-Sha1:
37057c0953edf643d191031b93d90b443f9159a3 3139 kio-extras_18.08.3-1.dsc
95df9a451ea50563cc9279db985285e7b513c7c2 552044 kio-extras_18.08.3.orig.tar.xz
77f8db1aade408cf138cae3c121fb149eed65858 774 kio-extras_18.08.3.orig.tar.xz.asc
c07bb482f2d748cdef9f183d1f27f5b8e67d40ab 13656 kio-extras_18.08.3-1.debian.tar.xz
17eeada9a352619d8b317c8fb57a458ed8cad9ae 20353 kio-extras_18.08.3-1_source.buildinfo
Checksums-Sha256:
7b5693535166ff3b271864ed305e3fdaf9a23910496dd09e257e9a43f1918c6f 3139 kio-extras_18.08.3-1.dsc
450d69b16a873da51190c9397b2b0ecb08bc0dcae0d2a07f7ab1d2efcd02c280 552044 kio-extras_18.08.3.orig.tar.xz
bf3825e7254d8534e234005dc571b1d4796ef860f1c01936a4fd142c4d59781a 774 kio-extras_18.08.3.orig.tar.xz.asc
92e754e1a1968b0686361871b14a61fcf3ace93ada8e7865f91db6151230799b 13656 kio-extras_18.08.3-1.debian.tar.xz
a58c84ee4c1f5dca678c040c1c55445def9c959efbf1ae1827b7e149c15b3e86 20353 kio-extras_18.08.3-1_source.buildinfo
Files:
c35e1753d595a90b5de3ad21c00b8324 3139 kde optional kio-extras_18.08.3-1.dsc
2a34d890b3b6d6ea52ae9ac8023816fa 552044 kde optional kio-extras_18.08.3.orig.tar.xz
0680f6f7f1b0c399cef82a4cab9acc7a 774 kde optional kio-extras_18.08.3.orig.tar.xz.asc
d16d8785703fee243382d613b330a9ed 13656 kde optional kio-extras_18.08.3-1.debian.tar.xz
52e5cd90123233c64bd3eb1dc38e8dc0 20353 kde optional kio-extras_18.08.3-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXyqfuC+mweEHcAcHLRkciEOxP00FAlvp/nUACgkQLRkciEOx
P02gRQ//dDfW/z5mlMMVwn8Hsz/MAx5Hopmtb8mJEVS490+eJToC/acx4BoqoQAM
GcixrSmkXcDf77yB7ZxGS8VI7r8kQ0b+TRenCUvd1ICEug9eWfE7b//ywEBrQPCv
m4OK1dEQBvizPwoPE59MHrcMVWolt/092U3eaokNJcVy5625bQdSq9KXkVf0rTuY
ibG1TsH9j4urmyXWCfkkE4GqlBQsia57qygccSpGLRvaPfJ/tf+sG3bZ+i/+NmCZ
MNH1IVpUbHtn2umFSvmnwB3ciPJMiBNKYCuZ4hAevkXetb73M6gmL+MJu/Xd6fFn
YwyB1p2lnsF6tzV7XvSBvvdR1d+gnyYhCVA25mcdahfEiSD2nMXNWYNSjUHaY/GE
MEaEPjcULfhxuivzkT7tPaocy6/CHNCigR/RPzCvFxvwp5yZmMRyMaH86M4kFt+K
IM4t8FlefDxVf43N3u1EPzhbK2weQpHUS7br/xYpXH4PML+3ONGSimxwOCcxooSZ
7nxjbeUPXK5klRUualn7uvWiTQVY78Hpd/DD69G+Bw/CBUDrZ9jANLqSEA07Chyz
hub9ax4Y8Mp1iIyWtlKh8xPD/6vZoJU8Ghu3dDi0qikqSaH+MobJQ+bK52o9SKM+
9NTfJYzIRm3IWzRA8aH/vefN++OSiuqDGBFGe/aovmlfq60VKbs=
=g8IV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Dec 2018 07:31:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:00:47 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon