Bug#840547: marked as done (KMail: HTML injection in plain text viewer)

To: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Subject: Bug#840547: marked as done (KMail: HTML injection in plain text viewer)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 12 Oct 2016 19:39:09 +0000
Message-id: <[🔎] handler.840547.D840547.147630089914232.ackdone@bugs.debian.org>
References: <E1buPIn-0004b3-ST@franck.debian.org> <[🔎] 20161012160649.10749.54450.reportbug@kitterma-E6430>

Your message dated Wed, 12 Oct 2016 19:34:57 +0000
with message-id <E1buPIn-0004b3-ST@franck.debian.org>
and subject line Bug#840547: fixed in kcoreaddons 5.26.0-2
has caused the Debian Bug report #840547,
regarding KMail: HTML injection in plain text viewer
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
840547: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840547
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: KMail: HTML injection in plain text viewer
From: Scott Kitterman <debian@kitterman.com>
Date: Wed, 12 Oct 2016 12:06:49 -0400
Message-id: <[🔎] 20161012160649.10749.54450.reportbug@kitterma-E6430>

Package: kdepimlibs
Version: 4:4.4.5-2
Severity: grave
Tags: security patch upstream
Justification: user security hole

KDE Project Security Advisory
=============================

Title:          KMail: HTML injection in plain text viewer
Risk Rating:    Important
CVE:            CVE-2016-7966
Platforms:      All
Versions:       kmail >= 4.4.0
Author:         Andre Heinecke <aheinecke@intevation.de>
Date:           6 October 2016

Overview
========

Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.

Impact
======

An unauthenticated attacker can send out mails with malicious content
that breaks KMail's plain text HTML escape logic. Due to the limitations
of the provided HTML in itself it might not be serious. But as a way
to break out of KMail's restricted Plain text mode this might open
the way to the exploitation of other vulnerabilities in the HTML viewer
code, which is disabled by default.

Workaround
==========

None.

Solution
========

For KDE Frameworks based releases of KMail apply the following patch to
kcoreaddons:
https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12

For kdelibs4 based releases apply the following patch:
https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf

Credits
=======

Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing the problems and Laurent Montel for
fixing this issue.

From: Montel Laurent <montel@kde.org>
Date: Fri, 30 Sep 2016 13:55:35 +0000
Subject: Backport avoid to transform as a url when we have a quote
X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf
---
Backport avoid to transform as a url when we have a quote
---


--- a/kpimutils/linklocator.cpp
+++ b/kpimutils/linklocator.cpp
@@ -94,6 +94,12 @@
 }
 
 QString LinkLocator::getUrl()
+{
+    return getUrlAndCheckValidHref();
+}
+
+
+QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
 {
   QString url;
   if ( atUrl() ) {
@@ -129,13 +135,26 @@
 
     url.reserve( maxUrlLen() );  // avoid allocs
     int start = mPos;
+    bool previousCharIsADoubleQuote = false;
     while ( ( mPos < (int)mText.length() ) &&
             ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
             ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
               ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
       if ( !mText[mPos].isSpace() ) {   // skip whitespace
-        url.append( mText[mPos] );
-        if ( url.length() > maxUrlLen() ) {
+          if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
+              //it's an invalid url
+              if (badurl) {
+                  *badurl = true;
+              }
+              return QString();
+          }
+          if (mText[mPos] == QLatin1Char('"')) {
+              previousCharIsADoubleQuote = true;
+          } else {
+              previousCharIsADoubleQuote = false;
+          }
+          url.append( mText[mPos] );
+          if ( url.length() > maxUrlLen() ) {
           break;
         }
       }
@@ -367,7 +386,12 @@
     } else {
       const int start = locator.mPos;
       if ( !( flags & IgnoreUrls ) ) {
-        str = locator.getUrl();
+        bool badUrl = false;
+        str = locator.getUrlAndCheckValidHref(&badUrl);
+        if (badUrl) {
+            return locator.mText;
+        }
+
         if ( !str.isEmpty() ) {
           QString hyperlink;
           if ( str.left( 4 ) == QLatin1String("www.") ) {

--- a/kpimutils/linklocator.h
+++ b/kpimutils/linklocator.h
@@ -107,6 +107,7 @@
       @return The URL at the current scan position, or an empty string.
     */
     QString getUrl();
+    QString getUrlAndCheckValidHref(bool *badurl = 0);
 
     /**
       Attempts to grab an email address. If there is an @ symbol at the
@@ -155,7 +156,7 @@
     */
     static QString pngToDataUrl( const QString & iconPath );
 
-  protected:
+protected:
     /**
       The plaintext string being scanned for URLs and email addresses.
     */

--- End Message ---

--- Begin Message ---

To: 840547-close@bugs.debian.org
Subject: Bug#840547: fixed in kcoreaddons 5.26.0-2
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Date: Wed, 12 Oct 2016 19:34:57 +0000
Message-id: <E1buPIn-0004b3-ST@franck.debian.org>

Source: kcoreaddons
Source-Version: 5.26.0-2

We believe that the bug you reported is fixed in the latest version of
kcoreaddons, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840547@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kcoreaddons package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 07 Oct 2016 22:46:43 +0200
Source: kcoreaddons
Binary: libkf5coreaddons-dev libkf5coreaddons-bin-dev libkf5coreaddons5 libkf5coreaddons-data
Architecture: source amd64 all
Version: 5.26.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description:
 libkf5coreaddons-bin-dev - KDE Frameworks 5 addons to QtCore - development files
 libkf5coreaddons-data - KDE Frameworks 5 addons to QtCore - data files
 libkf5coreaddons-dev - KDE Frameworks 5 addons to QtCore - development files
 libkf5coreaddons5 - KDE Frameworks 5 addons to QtCore
Closes: 840547
Changes:
 kcoreaddons (5.26.0-2) unstable; urgency=high
 .
   [ Sandro Knauß ]
   * Added patches to fix CVE-2016-7966 (Closes: #840547)
     0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch
     0002-Don-t-convert-as-url-an-url-which-has-a.patch
     - Fixes CVE-2016-7966
       https://security-tracker.debian.org/tracker/CVE-2016-7966
Checksums-Sha1:
 15d0a8ce1f767c32879249f9dabb77018c423403 2493 kcoreaddons_5.26.0-2.dsc
 6f18a8cea8acf4adae1cb23697ec992a9e1a2716 14740 kcoreaddons_5.26.0-2.debian.tar.xz
 ec9966893ac54c91b963d3c59f71065bc58dfd65 399950 libkf5coreaddons-bin-dev-dbgsym_5.26.0-2_amd64.deb
 6ac683611c9eec7970e6edadedd250139d5ea5c8 35184 libkf5coreaddons-bin-dev_5.26.0-2_amd64.deb
 2a484f3a76474124793dcc6f8a4323133455d608 101146 libkf5coreaddons-data_5.26.0-2_all.deb
 45e0feb38a631f7b142a7a0becd8d1d219e891bf 64032 libkf5coreaddons-dev_5.26.0-2_amd64.deb
 d7692668d9e5acba73cb76deaf976b3493ffe52e 3216404 libkf5coreaddons5-dbgsym_5.26.0-2_amd64.deb
 9ab6399fcc316ad0a9589b736381518a48b54739 199594 libkf5coreaddons5_5.26.0-2_amd64.deb
Checksums-Sha256:
 3ade7b493b85c5a285489752c1027917fa53537aa3019ee267588c697da6b679 2493 kcoreaddons_5.26.0-2.dsc
 17c1d3b3fa45f3e91f8660bee8fa2209282f1f1a6aa0d4dd45e7dd543b820008 14740 kcoreaddons_5.26.0-2.debian.tar.xz
 6a9a78b4faf6ce5efdf2068a44df5fe0fb1cdbcbecc6a1882a2b92cf9ef1171c 399950 libkf5coreaddons-bin-dev-dbgsym_5.26.0-2_amd64.deb
 46eff06bd12869beaff6d66cf40dbe61bd3a3df0111c439136afb5997348644b 35184 libkf5coreaddons-bin-dev_5.26.0-2_amd64.deb
 cfce41e04eb7c622db5b14f218fe46993df716d7581223c0c83c8588d3e66952 101146 libkf5coreaddons-data_5.26.0-2_all.deb
 3e80a03fe0f0eec94af5b706cb3bdaf7a7611494f01f0cad80c7dd977a6e3150 64032 libkf5coreaddons-dev_5.26.0-2_amd64.deb
 1d12eb384ad2c5c4829078d55f1d36942b82cff86803c6efc0fec11eb7670bc0 3216404 libkf5coreaddons5-dbgsym_5.26.0-2_amd64.deb
 2264014ee542897c28787fee5182a4e6a71f59ffa8da7ed7835593f698d00249 199594 libkf5coreaddons5_5.26.0-2_amd64.deb
Files:
 6f0334c9250f80334d5f969f10500302 2493 libs optional kcoreaddons_5.26.0-2.dsc
 402983c37ba81f225bd48c31feca29ec 14740 libs optional kcoreaddons_5.26.0-2.debian.tar.xz
 f77ac31ce80ff2c920ed0b47e2b67f51 399950 debug extra libkf5coreaddons-bin-dev-dbgsym_5.26.0-2_amd64.deb
 5d1dc33212a4a066b3d211a39744a26a 35184 libdevel optional libkf5coreaddons-bin-dev_5.26.0-2_amd64.deb
 9f552161e6bf799f831e1a88d15add07 101146 libs optional libkf5coreaddons-data_5.26.0-2_all.deb
 c118ec71bed3b973dbb116b6988d4c48 64032 libdevel optional libkf5coreaddons-dev_5.26.0-2_amd64.deb
 a6d23979ea0e5792fbd863a52915bbf1 3216404 debug extra libkf5coreaddons5-dbgsym_5.26.0-2_amd64.deb
 3b51863015e8ef809d9dc052189ce530 199594 libs optional libkf5coreaddons5_5.26.0-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX/o5GAAoJEHjX3vua1Zrxp0UP/1EAX/VlSGyvPR6Pa4z/ntGw
lg+qIdsYkvnTbLpW3JbAXrXT90asea76kNEWrG2PH+rmhJOs6vikmub8khPSgg3U
5HjxS/rPMQS/zShxxE8Vc6/GrR47Ro46rULlyCDqNtWRTUsegYt5Hcq+WVIb0z3X
zSFECASSea/oBl2ftH3EZ6NVyLbt2g6BmbVXW6Gxb0pxQifHJaEualad3oFoVm3O
SWVISMHZpyyrXfOU3KuqEvggpj5X7DSRzSAN6XXkm6ubTlCYAAzaXFT59WNSinjw
fhqVL4GIwoN+Fm7M0Kes1TcWviVUkDSRJ0yk133cbdo3C2onVkZ/i4lq6A9VR2yy
VlSiTJykPF5C6ZVIp17KrBwaJMrOt5+DLdima2Jz1o2T7rwtbpVxO2uB9D5dGDaY
RhY1g+SO0H4va1i4y58k+Jf9XFi+BC6nK1D+YHXmmaEtG/V65AVcOSJGbR8HVRiu
miEe10ZGsNWo6+ZQkdMCEi0lO4zlI8jbexWGMmpGQD0pdEoCQNRfQr59LF5XAF8L
VBif3mX2KcY4GMFYRNj0XRLJodPEau0hXTETWvVDS3xoS+ND3M9qvNpKJkhx4fZx
+e64Zgi8qMqLsNGJB5/WZli6ES9cbG/AQpPCux6locsGYJ+aHjoHYgr2xu+lEKsU
I8A0ewC3eFhtbdY+QuxB
=oX3v
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#840546: KMail: HTML injection in plain text viewer
  - From: Scott Kitterman <debian@kitterman.com>

Prev by Date: Bug#840546: Stable Debdiff For CVE-2016-7966/kdepimlibs
Next by Date: Processing of kcoreaddons_5.26.0-2_amd64.changes
Previous by thread: Bug#840546: marked as done (KMail: HTML injection in plain text viewer)
Next by thread: Bug#840546: marked as done (KMail: HTML injection in plain text viewer)
Index(es):
- Date
- Thread