*** This bug is a security vulnerability ***
Public security bug reported:
Evolution now uses webkit for html mail in 12.10. On launch, it tries to
access the google-talkplugin. When looking at a certain messages in
preview mode (a google calendar invite), it tries to launch
/usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-
scanner. Interestingly, this is happening even though I have 'Only ever
show plain text' configured in Preferences/Mail Preferences/HTML
Messages (I do have 'Show suppressed HTML parts as attachments'
selected).
This suggests that evolution:
- would gladly use plugins
- that javascript is possibly enabled (for the plugin finder)
- that the WebKit HTML renderer is being invoked even though 'Only ever show
plain text' is selected
Webkit is an immensely powerful renderer and it is being used to render
completely untrusted input from anyone who can send an email. We need to
make sure that plugins and javascript are disabled and that the renderer
is not being used at all when 'Only ever show plain text' is enabled (it
could be used to deliver text/plain, but it seems that it is processing
the HTML then discarding it). This would bring it in line with
Thunderbird's policies.
I noticed this because I use AppArmor to confine evolution.
Unfortunately in my situation, evolution hung on the message that
invoked the plugin finder because the plugin finder failed to launch. I
have rules now that will prevent the hang, but evolution isn't handling
this error condition gracefully either.
This should be considered an important security regression.
** Affects: evolution (Ubuntu)
Importance: High
Status: New
** Tags: regression-release rls-q-incoming
** Description changed:
Evolution now uses webkit for html mail in 12.10. On launch, it tries to
access the google-talkplugin. When looking at a certain messages in
preview mode (a google calendar invite), it tries to launch
/usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-
scanner. Interestingly, this is happening even though I have 'Only ever
show plain text' configured in Preferences/Mail Preferences/HTML
Messages (I do have 'Show suppressed HTML parts as attachments'
selected).
This suggests that evolution:
- - would gladly use plugins
- - that javascript is possibly enabled (for the plugin finder)
- - that the WebKit HTML renderer is being invoked even though 'Only ever show
plain text' is selected
+ - would gladly use plugins
+ - that javascript is possibly enabled (for the plugin finder)
+ - that the WebKit HTML renderer is being invoked even though 'Only ever show
plain text' is selected
Webkit is an immensely powerful renderer and it is being used to render
completely untrusted input from anyone who can send an email. We need to
make sure that plugins and javascript are disabled and that the renderer
is not being used at all when 'Only ever show plain text' is enabled (it
could be used to deliver text/plain, but it seems that it is processing
the HTML then discarding it). This would bring it in line with
Thunderbird's policies.
I noticed this because I use AppArmor to confine evolution.
Unfortunately in my situation, evolution hung on the message that
invoked the plugin finder because the plugin finder failed to launch. I
- have rules now that will prevent the hang, but evolution is handling
- this gracefully either.
+ have rules now that will prevent the hang, but evolution isn't handling
+ this error condition gracefully either.
This should be considered an important security regression.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evolution in Ubuntu.
https://bugs.launchpad.net/bugs/1037669
Title:
gst-plugin-scanner and browser plugins are used when opening certain
emails
Status in “evolution” package in Ubuntu:
New
Bug description:
Evolution now uses webkit for html mail in 12.10. On launch, it tries
to access the google-talkplugin. When looking at a certain messages in
preview mode (a google calendar invite), it tries to launch
/usr/lib/x86_64-linux-gnu/gstreamer0.10/gstreamer-0.10/gst-plugin-
scanner. Interestingly, this is happening even though I have 'Only
ever show plain text' configured in Preferences/Mail Preferences/HTML
Messages (I do have 'Show suppressed HTML parts as attachments'
selected).
This suggests that evolution:
- would gladly use plugins
- that javascript is possibly enabled (for the plugin finder)
- that the WebKit HTML renderer is being invoked even though 'Only ever show
plain text' is selected
Webkit is an immensely powerful renderer and it is being used to
render completely untrusted input from anyone who can send an email.
We need to make sure that plugins and javascript are disabled and that
the renderer is not being used at all when 'Only ever show plain text'
is enabled (it could be used to deliver text/plain, but it seems that
it is processing the HTML then discarding it). This would bring it in
line with Thunderbird's policies.
I noticed this because I use AppArmor to confine evolution.
Unfortunately in my situation, evolution hung on the message that
invoked the plugin finder because the plugin finder failed to launch.
I have rules now that will prevent the hang, but evolution isn't
handling this error condition gracefully either.
This should be considered an important security regression.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evolution/+bug/1037669/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
