Re: Bug#853241: kf5-messagelib: CVE-2016-7967 CVE-2016-7968

Lisandro Damián Nicanor Pérez Meyer Tue, 31 Jan 2017 07:21:37 -0800

On lunes, 30 de enero de 2017 19:55:16 ART Thorsten Alteholz wrote:
> Package: kf5-messagelib
> Severity: important
> Tags: security
> 
> Hi,
> 
> the following vulnerabilities were published for kf5-messagelib.
> 
> CVE-2016-7967[0]:
> | KMail since version 5.3.0 used a QWebEngine based viewer that had
> | JavaScript enabled. Since the generated html is executed in the local
> | file security context by default access to remote and local URLs was
> | enabled.
> 
> CVE-2016-7968[1]:
> | KMail since version 5.3.0 used a QWebEngine based viewer that had
> | JavaScript enabled. HTML Mail contents were not sanitized for
> | JavaScript and included code was executed.
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-7967
>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7967
> [1] https://security-tracker.debian.org/tracker/CVE-2016-7968
>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7968
> Please adjust the affected versions in the BTS as needed.
> 
>     Thorsten


Hi Thorsten! This two do not currently apply because it's still not using 
qtwebengine (see below). I guess I should close this bug, but I'll wait for 
your input in case you prefer to do something else.

$ ssh mirror.ftp-master.debian.org "dak rm -Rn qtwebengine-opensource-src"
Will remove the following packages from unstable:

libqt5webengine-data | 5.7.1+dfsg-6 | all
libqt5webengine5 | 5.7.1+dfsg-6 | amd64, i386
libqt5webenginecore5 | 5.7.1+dfsg-6 | amd64, i386
libqt5webenginewidgets5 | 5.7.1+dfsg-6 | amd64, i386
qml-module-qtwebengine | 5.7.1+dfsg-6 | amd64, i386
qtwebengine-opensource-src | 5.7.1+dfsg-6 | source
qtwebengine5-dev | 5.7.1+dfsg-6 | amd64, i386
qtwebengine5-doc | 5.7.1+dfsg-6 | all
qtwebengine5-doc-html | 5.7.1+dfsg-6 | all
qtwebengine5-examples | 5.7.1+dfsg-6 | amd64, i386

Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>

------------------- Reason -------------------

----------------------------------------------

Checking reverse dependencies...
# Broken Depends:
pyqt5: python-pyqt5.qtwebengine [amd64 i386]
       python-pyqt5.qtwebengine-dbg [amd64 i386]
       python3-pyqt5.qtwebengine [amd64 i386]
       python3-pyqt5.qtwebengine-dbg [amd64 i386]
qtdoc-opensource-src: qt5-doc
                      qt5-doc-html
qupzilla: libqupzilla1 [amd64 i386]
          qupzilla [amd64 i386]

# Broken Build-Depends:
pyqt5: qtwebengine5-dev (>= 5.7.1+dfsg-3~)
qtdoc-opensource-src: qtwebengine5-doc-html (>= 5.7.1+dfsg~)
qupzilla: qtwebengine5-dev

Dependency problem found.

-- 
 1: Una computadora sirve:
    * Para tratar de dominar el mundo, un caso conocido de esto fue el de
      Skinet
    Damian Nadales
    http://mx.grulic.org.ar/lurker/message/20080307.141449.a70fb2fc.es.html

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

signature.asc
Description: This is a digitally signed message part.

Re: Bug#853241: kf5-messagelib: CVE-2016-7967 CVE-2016-7968

Reply via email to