ArchLinux: 201610-5: messagelib: multiple issues
Summary
- CVE-2016-7967 (cross-site scripting)
KMail since version 5.3.0 used a QWebEngine based viewer that had
JavaScript enabled. Since the generated html is executed in the local
file security context by default access to remote and local URLs was
enabled.
- CVE-2016-7968 (insufficient validation)
KMail since version 5.3.0 used a QWebEngine based viewer that had
JavaScript enabled. HTML Mail contents were not sanitized for
JavaScript and included code was executed.
Resolution
Upgrade to 16.08.1-2.
# pacman -Syu "messagelib>=16.08.1-2"
The problems have been fixed upstream but no release is available yet.
References
https://kde.org/info/security/advisory-20161006-1.txt https://kde.org/info/security/advisory-20161006-3.txt https://seclists.org/oss-sec/2016/q4/23 https://kde.org/info/security/advisory-20161006-2.txt https://seclists.org/oss-sec/2016/q4/21 https://access.redhat.com/security/cve/CVE-2016-7967 https://access.redhat.com/security/cve/CVE-2016-7968s
Workaround
None.