Package: kdepimlibs Version: 4:4.4.5-2 Severity: grave Tags: security patch upstream Justification: user security hole
KDE Project Security Advisory ============================= Title: KMail: HTML injection in plain text viewer Risk Rating: Important CVE: CVE-2016-7966 Platforms: All Versions: kmail >= 4.4.0 Author: Andre Heinecke <aheine...@intevation.de> Date: 6 October 2016 Overview ======== Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plain text viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content. Impact ====== An unauthenticated attacker can send out mails with malicious content that breaks KMail's plain text HTML escape logic. Due to the limitations of the provided HTML in itself it might not be serious. But as a way to break out of KMail's restricted Plain text mode this might open the way to the exploitation of other vulnerabilities in the HTML viewer code, which is disabled by default. Workaround ========== None. Solution ======== For KDE Frameworks based releases of KMail apply the following patch to kcoreaddons: https://quickgit.kde.org/?p=kcoreaddons.git&a=commitdiff&h=96e562d9138c100498da38e4c5b4091a226dde12 For kdelibs4 based releases apply the following patch: https://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf Credits ======= Thanks to Roland Tapken for reporting this issue, Andre Heinecke from Intevation GmbH for analysing the problems and Laurent Montel for fixing this issue.
From: Montel Laurent <mon...@kde.org> Date: Fri, 30 Sep 2016 13:55:35 +0000 Subject: Backport avoid to transform as a url when we have a quote X-Git-Url: http://quickgit.kde.org/?p=kdepimlibs.git&a=commitdiff&h=176fee25ca79145ab5c8e2275d248f1a46a8d8cf --- Backport avoid to transform as a url when we have a quote --- --- a/kpimutils/linklocator.cpp +++ b/kpimutils/linklocator.cpp @@ -94,6 +94,12 @@ } QString LinkLocator::getUrl() +{ + return getUrlAndCheckValidHref(); +} + + +QString LinkLocator::getUrlAndCheckValidHref(bool *badurl) { QString url; if ( atUrl() ) { @@ -129,13 +135,26 @@ url.reserve( maxUrlLen() ); // avoid allocs int start = mPos; + bool previousCharIsADoubleQuote = false; while ( ( mPos < (int)mText.length() ) && ( mText[mPos].isPrint() || mText[mPos].isSpace() ) && ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) || ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) { if ( !mText[mPos].isSpace() ) { // skip whitespace - url.append( mText[mPos] ); - if ( url.length() > maxUrlLen() ) { + if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { + //it's an invalid url + if (badurl) { + *badurl = true; + } + return QString(); + } + if (mText[mPos] == QLatin1Char('"')) { + previousCharIsADoubleQuote = true; + } else { + previousCharIsADoubleQuote = false; + } + url.append( mText[mPos] ); + if ( url.length() > maxUrlLen() ) { break; } } @@ -367,7 +386,12 @@ } else { const int start = locator.mPos; if ( !( flags & IgnoreUrls ) ) { - str = locator.getUrl(); + bool badUrl = false; + str = locator.getUrlAndCheckValidHref(&badUrl); + if (badUrl) { + return locator.mText; + } + if ( !str.isEmpty() ) { QString hyperlink; if ( str.left( 4 ) == QLatin1String("www.") ) { --- a/kpimutils/linklocator.h +++ b/kpimutils/linklocator.h @@ -107,6 +107,7 @@ @return The URL at the current scan position, or an empty string. */ QString getUrl(); + QString getUrlAndCheckValidHref(bool *badurl = 0); /** Attempts to grab an email address. If there is an @ symbol at the @@ -155,7 +156,7 @@ */ static QString pngToDataUrl( const QString & iconPath ); - protected: +protected: /** The plaintext string being scanned for URLs and email addresses. */