oss-sec mailing list archives
Re: CVE Request: KDE Pim
From: David Faure <faure () kde org>
Date: Tue, 17 Jul 2012 22:23:26 +0200
On Tuesday 17 July 2012 13:37:38 Kurt Seifried wrote:
The rendering engine/etc used by KDE Pim didn't support JavaScript
Yes (it was disabled from the html engine on purpose).
Things changed and JavaScript support was introduced
Yes, but by mistake (the code that re-colors quotes in html email was ported to webkit, and javascript support is enabled there by default). Your phrasing makes it sound like it was "support that was added intentionnally", which wasn't the case.
The devels realize this, and quickly move to disable JavaScript.
Yes (although we discovered it by investigating a crash due to the fact that remote images were starting to get loaded too, and then abruptly interrupted, something which got disabled at the same time).
It seems like JavaScript was never meant to be supported in KDE Pim, so in light of that I'm going to assign this a CVE as JavaScript introduces a significant number of security issues and also violated the principle of least surprise.
Makes sense to me. -- David Faure, faure () kde org, http://www.davidfaure.fr Sponsored by Nokia to work on KDE, incl. KDE Frameworks 5
Current thread:
- CVE Request: KDE Pim Marc Deslauriers (Jul 13)
- Re: CVE Request: KDE Pim Kurt Seifried (Jul 13)
- Re: CVE Request: KDE Pim Vincent Danen (Jul 16)
- Re: CVE Request: KDE Pim laurent Montel (Jul 17)
- Re: CVE Request: KDE Pim David Faure (Jul 17)
- Re: CVE Request: KDE Pim Tomas Hoger (Jul 17)
- Re: CVE Request: KDE Pim Vincent Danen (Jul 17)
- Re: CVE Request: KDE Pim Kurt Seifried (Jul 17)
- Re: CVE Request: KDE Pim David Faure (Jul 17)
- Re: CVE Request: KDE Pim Vincent Danen (Jul 16)
- Re: CVE Request: KDE Pim Kurt Seifried (Jul 13)