Bug 1117958 (CVE-2018-19516)

Summary: VUL-1: CVE-2018-19516: messagelib: Some HTML emails can trick messagelib into opening a new browser window when displaying said email as HTML. Workaround: Do not enable "Prefer HTML to plain text" in KMail settings.
Product: [openSUSE] openSUSE Distribution Reporter: Marcus Meissner <meissner>
Component: OtherAssignee: Wolfgang Bauer <wbauer>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: alarrosa, christophe, fabian, fvogt, lbeltrame, tittiatcoke, wbauer
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/219982/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2018-11-30 16:04:58 UTC
CVE-2018-19516

Some HTML emails can trick messagelib into opening a new browser window
when displaying said email as HTML. Workaround: Do not enable "Prefer
HTML to plain text" in KMail settings.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19516
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19516.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19516
Comment 1 Wolfgang Bauer 2018-12-03 19:23:12 UTC
Well, this should also affect Leap 15.0, not only 42.3? ;-)

I'll prepare an update...
Comment 2 Wolfgang Bauer 2018-12-03 19:57:07 UTC
PS: the corresponding code in 42.3 is completely different, so maybe it's not affected after all?

It's definitely not easy to backport in any case.
Comment 3 Wolfgang Bauer 2018-12-03 20:24:36 UTC
I submitted the update for Leap 15.0:
https://build.opensuse.org/request/show/653598

Tumbleweed will soon get 18.12.0 anyway.

Regarding 42.3 I'm not sure yet.

Closing as fixed for now though, please reopen if you do think an update for 42.3 is necessary as well.
Thanks.
Comment 4 Fabian Vogt 2018-12-03 21:39:02 UTC
(In reply to Wolfgang Bauer from comment #3)
> I submitted the update for Leap 15.0:
> https://build.opensuse.org/request/show/653598
> 
> Tumbleweed will soon get 18.12.0 anyway.
> 
> Regarding 42.3 I'm not sure yet.
> 
> Closing as fixed for now though, please reopen if you do think an update for
> 42.3 is necessary as well.
> Thanks.

I'll try it on 42.3 tomorrow, I've made a simple PoC here.
For some reason it opens a dolphin window if opening a mail as .mbox file, which I have to investigate further...
In any case, the fix seems to be incomplete, so this needs some more fixing for 15 and TW as well...
Comment 5 Wolfgang Bauer 2018-12-05 09:32:28 UTC
Ok...
JFYI the 42.3 version doesn't have this processHTML() function at all that's modified by the patch.

It only got (re-)introduced in 17.12:
https://cgit.kde.org/messagelib.git/commit/?id=c20572f5c6d4d6fe73c20eba3cecb2c800fe3d51
Comment 6 Swamp Workflow Management 2018-12-07 23:11:03 UTC
openSUSE-SU-2018:4029-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1117958
CVE References: CVE-2018-19516
Sources used:
openSUSE Leap 15.0 (src):    messagelib-17.12.3-lp150.2.6.1
openSUSE Backports SLE-15 (src):    messagelib-17.12.3-bp150.3.6.1
Comment 7 Wolfgang Bauer 2019-06-19 18:33:42 UTC
(In reply to Fabian Vogt from comment #4)
> I'll try it on 42.3 tomorrow, I've made a simple PoC here.
> For some reason it opens a dolphin window if opening a mail as .mbox file,
> which I have to investigate further...
> In any case, the fix seems to be incomplete, so this needs some more fixing
> for 15 and TW as well...

@Fabian: what's the status of this?
Comment 8 Fabian Vogt 2019-06-19 18:38:23 UTC
(In reply to Wolfgang Bauer from comment #7)
> (In reply to Fabian Vogt from comment #4)
> > I'll try it on 42.3 tomorrow, I've made a simple PoC here.
> > For some reason it opens a dolphin window if opening a mail as .mbox file,
> > which I have to investigate further...
> > In any case, the fix seems to be incomplete, so this needs some more fixing
> > for 15 and TW as well...
> 
> @Fabian: what's the status of this?

With https://codereview.qt-project.org/c/qt/qtwebengine/+/256100 applied to WE it's now possible to fix this fully and without and hacks with preprocessing. Not sure whether the messagelib counterpart is implemented though.
Comment 9 Wolfgang Bauer 2019-06-19 19:22:21 UTC
(In reply to Fabian Vogt from comment #8)
> With https://codereview.qt-project.org/c/qt/qtwebengine/+/256100 applied to
> WE it's now possible to fix this fully and without and hacks with
> preprocessing. Not sure whether the messagelib counterpart is implemented
> though.

So no option for Leap 42.3 anymore anyway I suppose.
That was the main reason why I asked now.
(and because it is still assigned to me, so I get notified about it again and again... ;-) )
Comment 10 Tomáš Chvátal 2019-07-11 11:36:48 UTC
This is automated batch bugzilla cleanup.

The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such
it is no longer maintained, which means that it will not receive any
further security or bug fix updates.
As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please
feel free to reopen this bug against that version (!you must update the
"Version" component in the bug fields, do not just reopen please), or
alternatively create a new ticket.

Thank you for reporting this bug and we are sorry it could not be fixed
during the lifetime of the release.

[1] https://en.opensuse.org/Lifetime