[Secure-testing-commits] r48087 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Sun Jan 15 16:28:50 UTC 2017


Author: carnil
Date: 2017-01-15 16:28:50 +0000 (Sun, 15 Jan 2017)
New Revision: 48087

Modified:
   data/CVE/list
Log:
Update notes for CVE-2016-796{7,8}

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-01-15 16:07:52 UTC (rev 48086)
+++ data/CVE/list	2017-01-15 16:28:50 UTC (rev 48087)
@@ -17844,11 +17844,22 @@
 CVE-2016-7968 (KMail since version 5.3.0 used a QWebEngine based viewer that had ...)
 	- kf5-messagelib <unfixed>
 	NOTE: https://www.kde.org/info/security/advisory-20161006-3.txt
-	TODO: check if vulnerable code present, might have been introduced in 4:16.08
+	NOTE: Would by fixed by: https://cgit.kde.org/messagelib.git/commit/?id=f601f9ffb706f7d3a5893b04f067a1f75da62c99
+	NOTE: and building with Qt 5.7.0.
+	NOTE: Following patches partly sanitize mails but still make it possible to inject code:
+	NOTE: https://cgit.kde.org/messagelib.git/commit/?id=3503b75e9c79c3861e182588a0737baf165abd23 (v16.08.2)
+	NOTE: https://cgit.kde.org/messagelib.git/commit/?id=a8744798dfdf8e41dd6a378e48662c66302b0019 (v16.08.2)
+	NOTE: https://cgit.kde.org/messagelib.git/commit/?id=77976584a4ed2797437a2423704abdd7ece7834a (v16.08.2)
+	NOTE: https://cgit.kde.org/messagelib.git/commit/?id=fb1be09360c812d24355076da544030a67b736fc (v16.08.2)
+	NOTE: https://cgit.kde.org/messagelib.git/commit/?id=0402c17a8ead92188971cb604d905b3072d56a73 (v16.08.2)
+	NOTE: The issue is mitigated with the fixes applied for CVE-2016-7966, and a
+	NOTE: user protected from this CVE by only viewing plain text mails.
 CVE-2016-7967 (KMail since version 5.3.0 used a QWebEngine based viewer that had ...)
 	- kf5-messagelib <unfixed>
 	NOTE: https://www.kde.org/info/security/advisory-20161006-2.txt
-	TODO: check if vulnerable code present, might have been introduced in 4:16.08
+	NOTE: Fixed by: https://cgit.kde.org/messagelib.git/commit/?id=dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1 (16.11.80)
+	NOTE: The issue is mitigated with the fixes applied for CVE-2016-7966, and a
+	NOTE: user protected from this CVE by only viewing plain text mails.
 CVE-2016-7966 (Through a malicious URL that contained a quote character it was ...)
 	{DSA-3697-1 DLA-673-1}
 	- kdepimlibs 4:4.14.10-7 (bug #840546)




More information about the Secure-testing-commits mailing list