[manjaro-security] [arch-security] [ASA-201610-5] messagelib: multiple issues

Christian Rebischke Chris.Rebischke at archlinux.org
Fri Oct 7 22:44:27 CEST 2016


Arch Linux Security Advisory ASA-201610-5
=========================================

Severity: Medium
Date    : 2016-10-07
CVE-ID  : CVE-2016-7967 CVE-2016-7968
Package : messagelib
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package messagelib before version 16.08.1-2 is vulnerable to
multiple issues including cross-site scripting and insufficient
validation.

Resolution
==========

Upgrade to 16.08.1-2.

# pacman -Syu "messagelib>=16.08.1-2"

The problems have been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

- CVE-2016-7967 (cross-site scripting)

KMail since version 5.3.0 used a QWebEngine based viewer that had
JavaScript enabled. Since the generated html is executed in the local
file security context by default access to remote and local URLs was
enabled.

- CVE-2016-7968 (insufficient validation)

KMail since version 5.3.0 used a QWebEngine based viewer that had
JavaScript enabled. HTML Mail contents were not sanitized for
JavaScript and included code was executed.

Impact
======

An attacker is able to access local or remote urls via injected
javascript.

References
==========

https://www.kde.org/info/security/advisory-20161006-1.txt
https://www.kde.org/info/security/advisory-20161006-3.txt
http://seclists.org/oss-sec/2016/q4/23
https://www.kde.org/info/security/advisory-20161006-2.txt
http://seclists.org/oss-sec/2016/q4/21
https://access.redhat.com/security/cve/CVE-2016-7967
https://access.redhat.com/security/cve/CVE-2016-7968s
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20161007/e9f8a581/attachment.pgp>


More information about the manjaro-security mailing list