Debian Bug report logs -
#915039
CVE-2018-19516: HTML email can open browser window automatically
Reported by: Felix Geyer <fgeyer@debian.org>
Date: Thu, 29 Nov 2018 18:15:01 UTC
Severity: grave
Tags: security, upstream
Found in version kf5-messagelib/4:18.08.1-1
Fixed in version kf5-messagelib/4:18.08.3-2
Done: Sandro Knauß <hefee@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#915039; Package src:kf5-messagelib.
(Thu, 29 Nov 2018 18:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Felix Geyer <fgeyer@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Thu, 29 Nov 2018 18:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: kf5-messagelib
Version: 4:18.08.1-1
Severity: grave
Tags: upstream security
Hi,
KDE published the following security advisory (CVE-2018-19516):
> messagelib by default displays emails as plain text, but gives the user
> an option to "Prefer HTML to plain text" in the settings and if that option
> is not enabled there is way to enable HTML display when an email contains HTML.
>
> Some HTML emails can trick messagelib into opening a new browser window when
> displaying said email as HTML.
>
> This happens even if the option to allow the HTML emails to access
> remote servers is disabled in KMail settings.
>
> This means that the owners of the servers referred in the email can see
> in their access logs your IP address.
https://www.kde.org/info/security/advisory-20181128-1.txt
Cheers,
Felix
Reply sent
to Sandro Knauß <hefee@debian.org>:
You have taken responsibility.
(Sat, 02 Mar 2019 00:39:03 GMT) (full text, mbox, link).
Notification sent
to Felix Geyer <fgeyer@debian.org>:
Bug acknowledged by developer.
(Sat, 02 Mar 2019 00:39:03 GMT) (full text, mbox, link).
Message #10 received at 915039-close@bugs.debian.org (full text, mbox, reply):
Source: kf5-messagelib
Source-Version: 4:18.08.3-2
We believe that the bug you reported is fixed in the latest version of
kf5-messagelib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 915039@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sandro Knauß <hefee@debian.org> (supplier of updated kf5-messagelib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 Mar 2019 01:20:22 +0100
Source: kf5-messagelib
Architecture: source
Version: 4:18.08.3-2
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Sandro Knauß <hefee@debian.org>
Closes: 915039
Changes:
kf5-messagelib (4:18.08.3-2) unstable; urgency=medium
.
* Team upload.
.
[ Sandro Knauß ]
* Disable running tests on mipsel.
* Add patch for CVE-2018-19516 (Closes: #915039)
* Add Build-Depends-Package for symbols files.
Checksums-Sha1:
fa604fd4aee940f1dceaa9c1ebd1aa7ee4b3a628 4977 kf5-messagelib_18.08.3-2.dsc
9cdf155c5a1c983d33dd6b2d20c8e47fe2d927f0 48288 kf5-messagelib_18.08.3-2.debian.tar.xz
0e561452f806434edaf102fecf00c95e18fee855 24111 kf5-messagelib_18.08.3-2_source.buildinfo
Checksums-Sha256:
160da1aeb0609bb2e2f11ecdf9665c9974d70dd82e548868061f44914610eaf0 4977 kf5-messagelib_18.08.3-2.dsc
4081d5fdae2b255f51b7e7bab0097dafd42cd891464dd09e49942ccc47ee99db 48288 kf5-messagelib_18.08.3-2.debian.tar.xz
00f550a032cb9c78d748982678758cb9d0a24636750eef9b46cd372c3429ed72 24111 kf5-messagelib_18.08.3-2_source.buildinfo
Files:
f984e1731a3fdc9459399c99650fcbda 4977 libs optional kf5-messagelib_18.08.3-2.dsc
19d761b778e462af8f6b62d1e8c83578 48288 libs optional kf5-messagelib_18.08.3-2.debian.tar.xz
9c2cd06b5a79d3e8edb15b6eacd7ee61 24111 libs optional kf5-messagelib_18.08.3-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEOewRoCAWtykmSRoG462wCFBgVjYFAlx5zFwRHGhlZmVlQGRl
Ymlhbi5vcmcACgkQ462wCFBgVjYp2A//V4uB7wX0iCF4+DMhFhf1NrptsQH4P1oM
B2S0doPZCSfWQCi28+dKmhtWvUOGD3Qxef0mMivZpXNIHlPGio5w8qDOvZ1h9Zue
CyTlSPZummmcKq9H2M85N4u9E2SW66Qj3TXNxugLYVuVcYi7w0HIm1WOm3cWFQCi
fLiWOXlqWhUukurcr/pE/DomO9b4rd5QimCe3sHNPsplQTex3z86WUrPPaqlVU+P
VWtjBWpGouOVpjXFr50Bk1+tynpzLdz5qGNplkWO8lGFuhpG4kXiiQ1mzpwWdagW
2CYzF7L4rpmzBp84zAGLyXkzcZWDrTZWfPIiNqiwZzPTVviz58G9hMIRRFyj2VB/
eJN76IFZtzByZODvAe8cKM/9b2PbtOmf+jQmoxLx0fbgqs0ipl6d//ITBzmUjpwZ
IVNvg2ByFF3+i3WkKwKSlJUCzru6Yq23JWt54+tleN/1ghtcpFhGROoJMXsP8kL/
i0ZRpJlO4uN4HmIK4eedLKqVkheg7Umsw7CTkeVJ+L0SKKoc1+H6d5j3mZDroxbb
lBZiYKHkOi+lzGvmBnr1iu8MEojuezqGhHjtm33Nq10z5LqMBG7DaH6SHhMJuE/N
hgsTe+ToCPfiNKnN8OAOvNDK5e60UydJamGKBPHnmkuHKx7NVGvr5UevWPgpWI5G
JNAPBfnS/KI=
=bsy7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 30 Mar 2019 07:27:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:42:23 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon