*** This bug is a security vulnerability *** Public security bug reported:
Upstream has somewhat cryptically suggested applying the upstream patch in http://commits.kde.org/kdepim/dbb2f72f4745e00f53031965a9c10b2d6862bd54 as a security fix. No CVE AFAIK. It appears to apply to kdepim 4.7 (oneiric), 4.8 (precise), and to be 4.9 (quantal). diff --git a/messageviewer/htmlquotecolorer.cpp b/messageviewer/htmlquotecolorer.cpp index b54e989..67c3062 100644 --- a/messageviewer/htmlquotecolorer.cpp +++ b/messageviewer/htmlquotecolorer.cpp @@ -40,6 +40,10 @@ QString HTMLQuoteColorer::process( const QString &htmlSource ) #ifndef KDEPIM_NO_WEBKIT // Create a DOM Document from the HTML source QWebPage page(0); + page.settings()->setAttribute( QWebSettings::JavascriptEnabled, false ); + page.settings()->setAttribute( QWebSettings::JavaEnabled, false ); + page.settings()->setAttribute( QWebSettings::PluginsEnabled, false ); + QWebFrame *frame = page.mainFrame(); frame->setHtml( htmlSource ); ** Affects: kdepim (Ubuntu) Importance: Undecided Status: New ** This bug has been flagged as a security vulnerability -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1022690 Title: kmail/kontact message viewer incorrectly defaults to having JavaScript, Java, and Plugins enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1022690/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs