Bug#832492: dolphin: depends on baloo-kf5
Package: dolphin Version: 4:16.04.2-2 Severity: normal Dear Maintainer, the dolphin internal find won't work if there is no package baloo-kf5 installed. -- System Information: APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages dolphin depends on: ii libc6 2.23-2 ii libdolphinvcs5 4:16.04.2-2 ii libkf5baloo5 5.23.0-1 ii libkf5baloowidgets516.04.0-1 ii libkf5bookmarks5 5.23.0-1 ii libkf5codecs5 5.23.0-1 ii libkf5completion5 5.23.0-1 ii libkf5configcore5 5.23.0-1 ii libkf5configgui5 5.23.0-1 ii libkf5configwidgets5 5.23.0-1 ii libkf5coreaddons5 5.23.0-1 ii libkf5crash5 5.23.0-1 ii libkf5dbusaddons5 5.23.0-1 ii libkf5filemetadata35.23.0-1 ii libkf5i18n55.23.0-1 ii libkf5iconthemes5 5.23.0-1 ii libkf5itemviews5 5.23.0-1 ii libkf5jobwidgets5 5.23.0-1 ii libkf5kcmutils55.23.0-1 ii libkf5kiocore5 5.23.0-1 ii libkf5kiofilewidgets5 5.23.0-1 ii libkf5kiowidgets5 5.23.0-1 ii libkf5newstuff55.23.0-1 ii libkf5notifications5 5.23.0-1 ii libkf5parts5 5.23.0-1 ii libkf5service-bin 5.23.0-1 ii libkf5service5 5.23.0-1 ii libkf5solid5 5.23.0-1 ii libkf5textwidgets5 5.23.0-1 ii libkf5widgetsaddons5 5.23.0-1 ii libkf5windowsystem55.23.0-1 ii libkf5xmlgui5 5.23.0-1 ii libphonon4qt5-44:4.9.0-3 ii libqt5core5a 5.6.1+dfsg-3 ii libqt5dbus55.6.1+dfsg-3 ii libqt5gui5 5.6.1+dfsg-3 ii libqt5widgets5 5.6.1+dfsg-3 ii libqt5xml5 5.6.1+dfsg-3 ii libstdc++6 6.1.1-9 ii phonon4qt5 4:4.9.0-3 Versions of packages dolphin recommends: ii kio-extras 4:16.04.2-1 pn ruby Versions of packages dolphin suggests: ii dolphin-plugins 4:16.04.0-1 -- debconf information: Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/^(.*?)(\\)?\${ <-- HERE ([^{}]+)}(.*)$/ at /usr/share/perl5/Debconf/Question.pm line 72. Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/\${ <-- HERE ([^}]+)}/ at /usr/share/perl5/Debconf/Config.pm line 30.
Re: Wheezy update of kde4libs?
Hi Maximiliano, 2016-07-25 15:41 GMT+02:00 Bálint Réczey: > Hi, > > 2016-07-19 23:12 GMT+02:00 Brian May : >> Maximiliano Curia writes: >> >>> I just did the upload to unstable, with the karchive fix from upstream and >>> an >>> modified version of that one for kde4libs. The second one needs some test, >>> sadly adding the (binary) test file used in karchive is a bit of a burden. Apparently one line, the actual fix is missing from the patch. The warning is issued, but the wrong path is still used in unstable: cat debian/patches/cve-2016-6232.patch ... const KArchiveDirectory* curDir = dirStack.pop(); -const QString curDirName = dirNameStack.pop(); + +// extract only to specified folder if it is located within archive's extraction folder +// otherwise put file under root position in extraction folder +QString curDirName = dirNameStack.pop(); +if (!QDir(curDirName).absolutePath().startsWith(destDir)) { +qWarning() << "Attempted export into folder" << curDirName +<< "which is outside of the extraction root folder" << destDir << "." +<< "Changing export of contained files to extraction root folder."; +} root.mkdir(curDirName); ... In the original fix there is an additional line right after the if ( ...: https://git.reviewboard.kde.org/r/128185/diff/2#3 ... + if (!QDir(curDirName).absolutePath().startsWith(destDir)) { + curDirName = destDir; ... I have tested the incomplete fix with the following little program: vagrant@debian-wheezy:~/extract/test$ cat kextract.cpp #include #include int main (int argc, char * argv[]) { if (argc < 3) exit (1); KTar tar(argv[1]); tar.open(QIODevice::ReadOnly); const KArchiveDirectory *dir = tar.directory(); dir->copyTo(argv[2]); return 0; } vagrant@debian-wheezy:~/extract/test$ rm ../foo vagrant@debian-wheezy:~/extract/test$ g++ -I/usr/include/qt4 -lkdecore kextract.cpp vagrant@debian-wheezy:~/extract/test$ cat ../foo cat: ../foo: No such file or directory vagrant@debian-wheezy:~/extract/test$ ./a.out tar_relative_path_outside_archive.tar.bz2 ./ bzDecompress returned 4 KBzip2Filter::uncompress 1 Attempted export into folder "/home/vagrant/extract/test/.." which is outside of the extraction root folder "/home/vagrant/extract/test" . Changing export of contained files to extraction root folder. vagrant@debian-wheezy:~/extract/test$ cat ../foo asdf I have built an update for wheezy with the missing line added. Please find the proposed diff attached which I plan uploading for Wheezy on Wednesday. The binary packages for amd64 are also available for testing here: https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/ Cheers, Balint diff -Nru kde4libs-4.8.4/debian/changelog kde4libs-4.8.4/debian/changelog --- kde4libs-4.8.4/debian/changelog 2014-08-07 22:44:05.0 +0200 +++ kde4libs-4.8.4/debian/changelog 2016-07-25 15:13:22.0 +0200 @@ -1,3 +1,10 @@ +kde4libs (4:4.8.4-4+deb7u2) wheezy-security; urgency=medium + + * Add new patch: cve-2016-6232.patch +- Fixes: CVE-2016-6232 + + -- Balint Reczey Mon, 25 Jul 2016 15:12:35 +0200 + kde4libs (4:4.8.4-4+deb7u1) wheezy-security; urgency=medium * Fix kauth authentication bypass. (Closes: #755814) diff -Nru kde4libs-4.8.4/debian/patches/cve-2016-6232.patch kde4libs-4.8.4/debian/patches/cve-2016-6232.patch --- kde4libs-4.8.4/debian/patches/cve-2016-6232.patch 1970-01-01 01:00:00.0 +0100 +++ kde4libs-4.8.4/debian/patches/cve-2016-6232.patch 2016-07-25 19:58:12.0 +0200 @@ -0,0 +1,50 @@ +From aa4d7b23ca046daeffd0695ee519315d5d6ae1bb Mon Sep 17 00:00:00 2001 +From: Debian/Kubuntu Qt/KDE Maintainers +Date: Tue, 19 Jul 2016 10:38:59 +0200 +Subject: [PATCH] Ensure extraction location to be in subfolder + +Behavior change: Switch to Tar's default behavior to avoid extraction +to arbitrary system locations outside of extraction folder. Instead, +extract such files to root location in extraction folder. + +REVIEW: 128185 +Author: Andreas Cord-Landwehr +Taken from karchive commit 0cb243f64eef45565741b27364cece7d5c349c37 +the test was dropped in this patch as it depends on a binary file. +Fixes: CVE-2016-6232 +--- + kdecore/io/karchive.cpp | 13 +++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/kdecore/io/karchive.cpp b/kdecore/io/karchive.cpp +@@ -778,6 +778,7 @@ + void KArchiveDirectory::copyTo(const QString& dest, bool recursiveCopy ) const + { + QDir root; ++ const QString destDir(QDir(dest).absolutePath()); // get directory path without any "." or ".." + + QList fileList; + QMap fileToDir; +@@ -787,10 +788,19 @@ + QStack dirNameStack; + + dirStack.push( this ); // init stack at current directory +- dirNameStack.push( dest ); // ... with given path ++ dirNameStack.push(destDir); // ... with given path +
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hey, > > > Would this also fix the issue with the second mail I posted (positioning > > > of > > > content elements over the header)? > > > > yes because now the header css is only active in the header. > > Did you test with the example mail I provided? yes. > > > My suggestion would have been to wrap the mail body in an iframe > > > instead. > > > > mmh do you can add headers etc. inside iframe? for me all docus looks > > like, > > that you can only place a url and nothing else. > > You can either load a document from a URL with the src="…" attribute or add > a document inline with the srcdoc="…" attribute. The latter would require > smart escaping of the message body and is in general a somewhat broken idea > in my opinion. > > I'd actually write the message body to be displayed as HTML to a temporary > file and load that with . > > Actually, the iframe's sandbox attribute seams to be the way to go here, as > it prevents the exact things we want to prevent here. > > Your approach is a good additional safety net, though. Well if that works please provide a patch for that and bring it upstream. Regards, sandro
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hi, > > Would this also fix the issue with the second mail I posted (positioning > > of > > content elements over the header)? > > yes because now the header css is only active in the header. Did you test with the example mail I provided? > > > My suggestion would have been to wrap the mail body in an iframe instead. > > mmh do you can add headers etc. inside iframe? for me all docus looks like, > that you can only place a url and nothing else. You can either load a document from a URL with the src="…" attribute or add a document inline with the srcdoc="…" attribute. The latter would require smart escaping of the message body and is in general a somewhat broken idea in my opinion. I'd actually write the message body to be displayed as HTML to a temporary file and load that with . Actually, the iframe's sandbox attribute seams to be the way to go here, as it prevents the exact things we want to prevent here. Your approach is a good additional safety net, though. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Hi, > > 2. in my follow-up, I showed that in 16.04, legitimate HTML mail breaks > > the > > UI. This has nothing to do with spoofing - KMail breaks when opening > > random, legitimate mail. I cannot even click any controls in the mail view > > anymore. This affects daily, normal work with KMail and makes it unusable > > for reading legitimate mail. That is the definition of "grave > > functionality > > bug". > > Yes, it breaks but: > > - only on certain mails. Not any mail shows this behaviour. In fact I > haven't even seen it before and I use kmail daily. > > - you can change the way headers are displayed and this bug doesn't shows up > (I have just tried your example with "Fancy headers"), so there is a known > work around. That'd be ok if I chose some header format in the first place. I am using what KMail imposes on me (changing with every version). As a matter of fact, after the upgrade, KMail imposed a new header layout on me *and* failed to display some e-mail messages correctly. Maybe not overriding user settings with every upgrade would be a good starting poitn (I do not know whether this should address the Debian maintainers or upstream). > > So it might be annoying for you, but considering the above it does not meets > the RC criterion at least from the usability side. OK… I still do not agree with that, though. > > On the other hand, please avoid expressions that might sound harsh like > "Please do something!" and "Did you read all of this bug report?". Always do > your best to be kind. After all you already did the only thing we can do: > report the bug upstream. We are volunteers trying to make things happen, we > do not get paid for doing this and definitely we are not your employees. A > little respect goes a long way :) Well, this bug report has been open for almost half a year without any reaction whatsoever, neither by upstream nor by a maintainer. Instead, with another upgrade, it even got worse. I understand that both upstream and maintainers are volunteers, but they agreed on reacting to certain kinds of bug reports within a reasonable time. I know that if I completely ignored a security bug in one of my packages for several months, I'd be beheaded by my sponsors. Doing something in your freetime does not mean users can't get annoyed when the software they use gets worse instead of better. Cheers, Nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Re: Wheezy update of kde4libs?
Hi, 2016-07-19 23:12 GMT+02:00 Brian May: > Maximiliano Curia writes: > >> I just did the upload to unstable, with the karchive fix from upstream and an >> modified version of that one for kde4libs. The second one needs some test, >> sadly adding the (binary) test file used in karchive is a bit of a burden. >> >> After these packages are available we would need to backport the change to >> stable. Right now, I can't promise that I would have the time to take care of >> this. So volunteers for taking care of this are welcome. > > I had a look at doing this for wheezy LTS several days ago. It looks > like it should be reasonably straight forward (famous last words?) to > apply the changes manually to the wheezy version, although the files > have moved (and automatic patching failed). If nobody takes this up by > next month I should have some time then to continue this. I seems really straight forward indeed and I can fix it today thus let me take care of it. It is compiling already. Cheers, Balint
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Control: severity -1 important On lunes, 25 de julio de 2016 12:17:55 P. M. ART Dominik George wrote: > Control: severity -1 grave Please: do not override a maintainer's severity. > Hi, > > >Even more, a mail header can be "spoofed" using simpler tools, like an > >smtp > >server, thus I'm not really convinced that this bug deserves a "grave" > >severity. > > Did you read all of this bug report? I did. I will not emit a judgment on the security side of this as this is really something I don't manage, but... > 2. in my follow-up, I showed that in 16.04, legitimate HTML mail breaks the > UI. This has nothing to do with spoofing - KMail breaks when opening > random, legitimate mail. I cannot even click any controls in the mail view > anymore. This affects daily, normal work with KMail and makes it unusable > for reading legitimate mail. That is the definition of "grave functionality > bug". Yes, it breaks but: - only on certain mails. Not any mail shows this behaviour. In fact I haven't even seen it before and I use kmail daily. - you can change the way headers are displayed and this bug doesn't shows up (I have just tried your example with "Fancy headers"), so there is a known work around. So it might be annoying for you, but considering the above it does not meets the RC criterion at least from the usability side. On the other hand, please avoid expressions that might sound harsh like "Please do something!" and "Did you read all of this bug report?". Always do your best to be kind. After all you already did the only thing we can do: report the bug upstream. We are volunteers trying to make things happen, we do not get paid for doing this and definitely we are not your employees. A little respect goes a long way :) Thank you for your undertanding! -- This end should point toward the ground if you want to go to space. If it starts pointing toward space you are having a bad problem and you will not get to space today. http://xkcd.com/1133/ Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/ signature.asc Description: This is a digitally signed message part.
Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout
Processing control commands: > severity -1 important Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout Severity set to 'important' from 'grave' -- 814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout
Processing control commands: > severity -1 important Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout Ignoring request to change severity of Bug 814762 to the same value. -- 814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hi, > Would this also fix the issue with the second mail I posted (positioning of > content elements over the header)? yes because now the header css is only active in the header. > My suggestion would have been to wrap the mail body in an iframe instead. mmh do you can add headers etc. inside iframe? for me all docus looks like, that you can only place a url and nothing else. Regards, sandro
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hi, > I actually set down today and fixed the issue or at least makes it more > difficult to break the UI. > > http://commits.kde.org/messagelib/3f9d16c7dadd2c98b00c5e7216cd69cfb518cab9 > http://commits.kde.org/kdepim-addons/a97f99b2769d39ffa03a2cd2454f10ef9322248 > 6 > http://commits.kde.org/kdepim-addons/cab925e9d4769762ea0080d49f392022cd8e78 > dd Would this also fix the issue with the second mail I posted (positioning of content elements over the header)? My suggestion would have been to wrap the mail body in an iframe instead. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Bug#824059: plasma-desktop: When used with pulseaudio, can make people deaf
Package: plasma-desktop Version: 4:5.6.5-1 Followup-For: Bug #824059 Dear Maintainer, It is still there with new packagages. Should we try to report it to KDE bugs system? Best wishes, John -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages plasma-desktop depends on: ii breeze 4:5.7.0-1 ii kactivitymanagerd5.7.0-1 ii kde-cli-tools4:5.7.0-1 ii kded55.23.0-1 ii kio 5.23.0-1 ii libc62.23-2 ii libcanberra0 0.30-3 ii libfontconfig1 2.11.0-6.4 ii libgcc1 1:6.1.1-9 ii libkf5activities55.23.0-1 ii libkf5activitiesexperimentalstats1 4:5.6.5-1 ii libkf5archive5 5.24.0-1 ii libkf5auth5 5.23.0-1 ii libkf5baloo5 5.23.0-1 ii libkf5bookmarks5 5.23.0-1 ii libkf5codecs55.23.0-1 ii libkf5completion55.23.0-1 ii libkf5configcore55.23.0-1 ii libkf5configgui5 5.23.0-1 ii libkf5configwidgets5 5.23.0-1 ii libkf5coreaddons55.23.0-1 ii libkf5dbusaddons55.23.0-1 ii libkf5emoticons-bin 5.23.0-1 ii libkf5emoticons5 5.23.0-1 ii libkf5globalaccel5 5.23.0-1 ii libkf5guiaddons5 5.23.0-1 ii libkf5i18n5 5.23.0-1 ii libkf5iconthemes55.23.0-1 ii libkf5itemmodels55.23.0-1 ii libkf5itemviews5 5.23.0-1 ii libkf5jobwidgets55.23.0-1 ii libkf5kcmutils5 5.23.0-1 ii libkf5kdelibs4support5 5.23.0-1 ii libkf5kiocore5 5.23.0-1 ii libkf5kiofilewidgets55.23.0-1 ii libkf5kiowidgets55.23.0-1 ii libkf5newstuff5 5.23.0-1 ii libkf5notifications5 5.23.0-1 ii libkf5notifyconfig5 5.23.0-1 ii libkf5parts5 5.23.0-1 ii libkf5people55.23.0-1 ii libkf5peoplewidgets5 5.23.0-1 ii libkf5plasma55.23.0-1 ii libkf5plasmaquick5 5.23.0-1 ii libkf5quickaddons5 5.23.0-1 ii libkf5runner55.23.0-1 ii libkf5service-bin5.23.0-1 ii libkf5service5 5.23.0-1 ii libkf5solid5 5.23.0-1 ii libkf5sonnetui5 5.23.0-1 ii libkf5wallet-bin 5.23.0-3 ii libkf5wallet55.23.0-3 ii libkf5widgetsaddons5 5.23.0-1 ii libkf5windowsystem5 5.23.0-1 ii libkf5xmlgui55.23.0-1 ii libkfontinst54:5.6.5-1 ii libkfontinstui5 4:5.6.5-1 ii libkworkspace5-5 4:5.6.5.1-1 ii libphonon4qt5-4 4:4.9.0-3 ii libpulse-mainloop-glib0 9.0-1.1 ii libpulse09.0-1.1 ii libqt5concurrent55.6.1+dfsg-3 ii libqt5core5a 5.6.1+dfsg-3 ii libqt5dbus5 5.6.1+dfsg-3 ii libqt5gui5 5.6.1+dfsg-3 ii libqt5network5 5.6.1+dfsg-3 ii libqt5printsupport5 5.6.1+dfsg-3 ii libqt5qml5 5.6.1-5 ii libqt5quick5 5.6.1-5 ii libqt5quickwidgets5 5.6.1-5 ii libqt5sql5 5.6.1+dfsg-3 ii libqt5svg5 5.6.1-2 ii libqt5widgets5 5.6.1+dfsg-3 ii libqt5x11extras5 5.6.1-2 ii libqt5xml5 5.6.1+dfsg-3 ii libstdc++6 6.1.1-9 ii libtaskmanager5 4:5.6.5.1-1 ii libx11-6 2:1.6.3-1 ii libx11-xcb1 2:1.6.3-1 ii libxcb-record0 1.11.1-1 ii libxcb-xkb1 1.11.1-1 ii libxcb1
Bug#832421: ITP: qtwebchannel -- Publish `QObjects` for the usage of webengine
Package: wnpp Severity: wishlist Owner: "Sandro Knauß"* Package name: qtwebchannel Version : 5.6.1 Upstream Author : The QtCompany Ltd. * URL : http://doc.qt.io/qt-5/qtwebchannel-index.html * License : LGPL2.1, LGPL3 Programming Lang: C++ Description : Publish `QObjects` for the usage of webengine Provides public API shared by both QtWebEngine and QtWebEngineWidgets We intend to package it under the Debian Qt/KDE Maintainers umbrella. It is needed for QtWebEngine.
Bug#832420: ITP: qtwebengine -- Web content engine library for Qt
Package: wnpp Severity: wishlist Owner: "Sandro Knauß"* Package name: qtwebengine Version : 5.6.1 Upstream Author : The Qt Company Ltd. * URL : http://trac.webengine.org/wiki/QtWebEngine * License : LGPL2+,GPL2+, BSD Programming Lang: C++ Description : Web content engine library for Qt QtWebEngine provides a Web browser engine that makes it easy to embed content from the World Wide Web into your Qt application. . This package contains the development files needed to build Qt 5 applications using QtWebEngine library. We want to package it within the Debian Qt/KDE Maintainers umrella and need it for newer KDE Applications.
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
Hey, I actually set down today and fixed the issue or at least makes it more difficult to break the UI. http://commits.kde.org/messagelib/3f9d16c7dadd2c98b00c5e7216cd69cfb518cab9 http://commits.kde.org/kdepim-addons/a97f99b2769d39ffa03a2cd2454f10ef93222486 http://commits.kde.org/kdepim-addons/cab925e9d4769762ea0080d49f392022cd8e78dd Regards, sandro signature.asc Description: This is a digitally signed message part.
Bug#814762: Info received (Bug#814762: kmail: CSS from HTML mail interfers with header layout)
In order to speed things up, I will look into providing a patch today. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Control: severity -1 grave Hi, >Even more, a mail header can be "spoofed" using simpler tools, like an >smtp >server, thus I'm not really convinced that this bug deserves a "grave" >severity. Did you read all of this bug report? 1. I explained that this method can do more than other ways of spoofing mail headers because mail filters do not see the spoofed headers, 2. in my follow-up, I showed that in 16.04, legitimate HTML mail breaks the UI. This has nothing to do with spoofing - KMail breaks when opening random, legitimate mail. I cannot even click any controls in the mail view anymore. This affects daily, normal work with KMail and makes it unusable for reading legitimate mail. That is the definition of "grave functionality bug". I am ok with dropping the security tag, but the grave was for the follow-up. The bug with the legitimate mail does *not* occur in any prior version, so migration would introduce this issue into testing. In conclusion: I can read legitimate mail in kmail in testing; I can't do so in unstable. Thus, the new version should not migrate unless the bug is fixed. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-1520-1981389 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security)
Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout
Processing control commands: > severity -1 grave Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout Severity set to 'grave' from 'important' -- 814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#814762: kmail: CSS from HTML mail interfers with header layout
Processing control commands: > severity -1 important Bug #814762 [kmail] kmail: CSS from HTML mail interfers with header layout Severity set to 'important' from 'grave' -- 814762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#814762: kmail: CSS from HTML mail interfers with header layout
Control: severity -1 important ¡Hola Dominik! El 2016-07-24 a las 22:11 +0200, Dominik George escribió: Package: kmail Version: 4:16.04.3-1 Followup-For: Bug #814762 It got worse. Today, I stumbled about a legitimate HTML mail that just trashed the whole UI. Find attached the mail that caused the issue and a screenshot. Raising severity to grave. Please do something! Firstly, I am certain this is a security-relevant bug; secondly, it now makes stuff break in daily use. I'm temporarily lowering the severity of this mail to finish the kdepim 16.04 transition. Also, I think that this issue should be easily reproduceable in the older kmail2 versions, thus I see no reason to block the transition by this. Even more, a mail header can be "spoofed" using simpler tools, like an smtp server, thus I'm not really convinced that this bug deserves a "grave" severity. Happy hacking, -- "There are only two things wrong with C++: The initial concept and the implementation." -- Bertrand Meyer Saludos /\/\ /\ >< `/ signature.asc Description: Digital signature