Debian Bug report logs - #853241
kf5-messagelib: CVE-2016-7967 CVE-2016-7968

Package: kf5-messagelib; Maintainer for kf5-messagelib is Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>;

Reported by: Thorsten Alteholz <debian@alteholz.de>

Date: Mon, 30 Jan 2017 19:03:04 UTC

Severity: important

Tags: security

Fixed in version 4:16.04.3-2

Done: Thorsten Alteholz <debian@alteholz.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#853241; Package kf5-messagelib. (Mon, 30 Jan 2017 19:03:07 GMT) (full text, mbox, link).

Acknowledgement sent to Thorsten Alteholz <debian@alteholz.de>:
New Bug report received and forwarded. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Mon, 30 Jan 2017 19:03:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: kf5-messagelib
Severity: important
Tags: security

Hi,

the following vulnerabilities were published for kf5-messagelib.

CVE-2016-7967[0]:
| KMail since version 5.3.0 used a QWebEngine based viewer that had
| JavaScript enabled. Since the generated html is executed in the local
| file security context by default access to remote and local URLs was
| enabled.

CVE-2016-7968[1]:
| KMail since version 5.3.0 used a QWebEngine based viewer that had
| JavaScript enabled. HTML Mail contents were not sanitized for
| JavaScript and included code was executed.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-7967
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7967
[1] https://security-tracker.debian.org/tracker/CVE-2016-7968
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7968
Please adjust the affected versions in the BTS as needed.

   Thorsten

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#853241; Package kf5-messagelib. (Mon, 30 Jan 2017 19:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Mon, 30 Jan 2017 19:18:04 GMT) (full text, mbox, link).

Message #10 received at 853241@bugs.debian.org (full text, mbox, reply):

Hi

It might be noted that the issues itself are mitigated with the fixes
applied for CVE-2016-7966, and a user protected from this CVE by only
viewing plain text mails. But the issues still presend. At least for
CVE-2016-7968 a full fix would need to be building with Qt 5.7.0
AFAICT (please correct me if I'm wrong).

Regards,
Salvatore

Marked as found in versions 4:16.04.3-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 30 Jan 2017 19:18:05 GMT) (full text, mbox, link).

Acknowledgement sent to Martin Steigerwald <martin@lichtvoll.de>:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Mon, 30 Jan 2017 19:51:06 GMT) (full text, mbox, link).

Message #17 received at 853241@bugs.debian.org (full text, mbox, reply):

Am Montag, 30. Januar 2017, 19:55:16 CET schrieb Thorsten Alteholz:
> Package: kf5-messagelib
> Severity: important
> Tags: security
[…]
> the following vulnerabilities were published for kf5-messagelib.
> 
> CVE-2016-7967[0]:
> | KMail since version 5.3.0 used a QWebEngine based viewer that had
> | JavaScript enabled. Since the generated html is executed in the local
> | file security context by default access to remote and local URLs was
> | enabled.
> 
> CVE-2016-7968[1]:
> | KMail since version 5.3.0 used a QWebEngine based viewer that had
> | JavaScript enabled. HTML Mail contents were not sanitized for
> | JavaScript and included code was executed.

Unstable has KMail 5.2.3 from KDEPIM 16.04 which AFAIK doesn´t use webengine 
yet. I am not sure whether the older KMail + messagelib stuff has similar 
issues.

Ciao,
-- 
Martin

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#853241; Package kf5-messagelib. (Tue, 31 Jan 2017 15:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Tue, 31 Jan 2017 15:24:03 GMT) (full text, mbox, link).

Message #22 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On lunes, 30 de enero de 2017 19:55:16 ART Thorsten Alteholz wrote:
> Package: kf5-messagelib
> Severity: important
> Tags: security
> 
> Hi,
> 
> the following vulnerabilities were published for kf5-messagelib.
> 
> CVE-2016-7967[0]:
> | KMail since version 5.3.0 used a QWebEngine based viewer that had
> | JavaScript enabled. Since the generated html is executed in the local
> | file security context by default access to remote and local URLs was
> | enabled.
> 
> CVE-2016-7968[1]:
> | KMail since version 5.3.0 used a QWebEngine based viewer that had
> | JavaScript enabled. HTML Mail contents were not sanitized for
> | JavaScript and included code was executed.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-7967
>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7967
> [1] https://security-tracker.debian.org/tracker/CVE-2016-7968
>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7968
> Please adjust the affected versions in the BTS as needed.
> 
>     Thorsten

Hi Thorsten! This two do not currently apply because it's still not using 
qtwebengine (see below). I guess I should close this bug, but I'll wait for 
your input in case you prefer to do something else.

$ ssh mirror.ftp-master.debian.org "dak rm -Rn qtwebengine-opensource-src"
Will remove the following packages from unstable:

libqt5webengine-data | 5.7.1+dfsg-6 | all
libqt5webengine5 | 5.7.1+dfsg-6 | amd64, i386
libqt5webenginecore5 | 5.7.1+dfsg-6 | amd64, i386
libqt5webenginewidgets5 | 5.7.1+dfsg-6 | amd64, i386
qml-module-qtwebengine | 5.7.1+dfsg-6 | amd64, i386
qtwebengine-opensource-src | 5.7.1+dfsg-6 | source
qtwebengine5-dev | 5.7.1+dfsg-6 | amd64, i386
qtwebengine5-doc | 5.7.1+dfsg-6 | all
qtwebengine5-doc-html | 5.7.1+dfsg-6 | all
qtwebengine5-examples | 5.7.1+dfsg-6 | amd64, i386

Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>

------------------- Reason -------------------

----------------------------------------------

Checking reverse dependencies...
# Broken Depends:
pyqt5: python-pyqt5.qtwebengine [amd64 i386]
       python-pyqt5.qtwebengine-dbg [amd64 i386]
       python3-pyqt5.qtwebengine [amd64 i386]
       python3-pyqt5.qtwebengine-dbg [amd64 i386]
qtdoc-opensource-src: qt5-doc
                      qt5-doc-html
qupzilla: libqupzilla1 [amd64 i386]
          qupzilla [amd64 i386]

# Broken Build-Depends:
pyqt5: qtwebengine5-dev (>= 5.7.1+dfsg-3~)
qtdoc-opensource-src: qtwebengine5-doc-html (>= 5.7.1+dfsg~)
qupzilla: qtwebengine5-dev

Dependency problem found.

-- 
 1: Una computadora sirve:
    * Para tratar de dominar el mundo, un caso conocido de esto fue el de
      Skinet
    Damian Nadales
    http://mx.grulic.org.ar/lurker/message/20080307.141449.a70fb2fc.es.html

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#853241; Package kf5-messagelib. (Tue, 31 Jan 2017 15:24:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#853241; Package kf5-messagelib. (Tue, 31 Jan 2017 15:27:11 GMT) (full text, mbox, link).

Message #32 received at 853241@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On lunes, 30 de enero de 2017 20:15:38 ART Salvatore Bonaccorso wrote:
> Hi
> 
> It might be noted that the issues itself are mitigated with the fixes
> applied for CVE-2016-7966, and a user protected from this CVE by only
> viewing plain text mails. But the issues still presend. At least for
> CVE-2016-7968 a full fix would need to be building with Qt 5.7.0
> AFAICT (please correct me if I'm wrong).

Salvatore: what would be the status considering we are still not using 
qtwebengine?

Please note I normally do not touch KDE packaging, I just happen to know 
qtwebengine is not releated to this :)

-- 
Nearly all men can stand adversity, but if you want to test a man's
character, give him power.
  Abraham Lincoln

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#853241; Package kf5-messagelib. (Tue, 31 Jan 2017 17:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Tue, 31 Jan 2017 17:12:04 GMT) (full text, mbox, link).

Message #37 received at 853241@bugs.debian.org (full text, mbox, reply):

On Tue, Jan 31, 2017 at 12:22:34PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
> On lunes, 30 de enero de 2017 20:15:38 ART Salvatore Bonaccorso wrote:
> > Hi
> > 
> > It might be noted that the issues itself are mitigated with the fixes
> > applied for CVE-2016-7966, and a user protected from this CVE by only
> > viewing plain text mails. But the issues still presend. At least for
> > CVE-2016-7968 a full fix would need to be building with Qt 5.7.0
> > AFAICT (please correct me if I'm wrong).
> 
> Salvatore: what would be the status considering we are still not using 
> qtwebengine?
> 
> Please note I normally do not touch KDE packaging, I just happen to know 
> qtwebengine is not releated to this :)

I'll mark both bugs as not-affected in the security tracker and I suggest 
you simply close this bug, then.

Cheers,
        Moritz

Reply sent to Thorsten Alteholz <debian@alteholz.de>:
You have taken responsibility. (Tue, 31 Jan 2017 21:33:06 GMT) (full text, mbox, link).

Notification sent to Thorsten Alteholz <debian@alteholz.de>:
Bug acknowledged by developer. (Tue, 31 Jan 2017 21:33:06 GMT) (full text, mbox, link).

Message #42 received at 853241-done@bugs.debian.org (full text, mbox, reply):

Version: 4:16.04.3-2

Hi everybody,

thanks a lot for all the information, which are on their way to the 
security tracker now. So this bug can be closed again.

  Thorstzen

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 01 Mar 2017 07:29:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jan 10 08:57:32 2018; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #853241 kf5-messagelib: CVE-2016-7967 CVE-2016-7968

Debian Bug report logs - #853241
kf5-messagelib: CVE-2016-7967 CVE-2016-7968