[arch-security] [ASA-201610-5] messagelib: multiple issues
Christian Rebischke
Chris.Rebischke at archlinux.org
Fri Oct 7 20:44:27 UTC 2016
Arch Linux Security Advisory ASA-201610-5
=========================================
Severity: Medium
Date : 2016-10-07
CVE-ID : CVE-2016-7967 CVE-2016-7968
Package : messagelib
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package messagelib before version 16.08.1-2 is vulnerable to
multiple issues including cross-site scripting and insufficient
validation.
Resolution
==========
Upgrade to 16.08.1-2.
# pacman -Syu "messagelib>=16.08.1-2"
The problems have been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
- CVE-2016-7967 (cross-site scripting)
KMail since version 5.3.0 used a QWebEngine based viewer that had
JavaScript enabled. Since the generated html is executed in the local
file security context by default access to remote and local URLs was
enabled.
- CVE-2016-7968 (insufficient validation)
KMail since version 5.3.0 used a QWebEngine based viewer that had
JavaScript enabled. HTML Mail contents were not sanitized for
JavaScript and included code was executed.
Impact
======
An attacker is able to access local or remote urls via injected
javascript.
References
==========
https://www.kde.org/info/security/advisory-20161006-1.txt
https://www.kde.org/info/security/advisory-20161006-3.txt
http://seclists.org/oss-sec/2016/q4/23
https://www.kde.org/info/security/advisory-20161006-2.txt
http://seclists.org/oss-sec/2016/q4/21
https://access.redhat.com/security/cve/CVE-2016-7967
https://access.redhat.com/security/cve/CVE-2016-7968s
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20161007/e9f8a581/attachment.asc>
More information about the arch-security
mailing list