oss-sec mailing list archives

Re: CVE Request: KDE Pim


From: David Faure <faure () kde org>
Date: Tue, 17 Jul 2012 22:23:26 +0200

On Tuesday 17 July 2012 13:37:38 Kurt Seifried wrote:
The rendering engine/etc used by KDE Pim didn't support JavaScript

Yes (it was disabled from the html engine on purpose).

Things changed and JavaScript support was introduced

Yes, but by mistake (the code that re-colors quotes in html email was ported 
to webkit, and javascript support is enabled there by default).
Your phrasing makes it sound like it was "support that was added 
intentionnally", which wasn't the case.

The devels realize this, and quickly move to disable JavaScript.

Yes (although we discovered it by investigating a crash due to the fact that 
remote images were starting to get loaded too, and then abruptly interrupted, 
something which got disabled at the same time).

It seems like JavaScript was never meant to be supported in KDE Pim,
so in light of that I'm going to assign this a CVE as JavaScript
introduces a significant number of security issues and also violated
the principle of least surprise.

Makes sense to me.

-- 
David Faure, faure () kde org, http://www.davidfaure.fr
Sponsored by Nokia to work on KDE, incl. KDE Frameworks 5


Current thread: