|
Message-ID: <13315562.h1Mja6Y9oR@asterix.site> Date: Tue, 17 Jul 2012 22:23:26 +0200 From: David Faure <faure@....org> To: Kurt Seifried <kseifried@...hat.com> Cc: oss-security@...ts.openwall.com, laurent Montel <montel@....org>, Vincent Danen <vdanen@...hat.com>, Marc Deslauriers <marc.deslauriers@...onical.com>, coley@...us.mitre.org, security@...ntu.com Subject: Re: CVE Request: KDE Pim On Tuesday 17 July 2012 13:37:38 Kurt Seifried wrote: > The rendering engine/etc used by KDE Pim didn't support JavaScript Yes (it was disabled from the html engine on purpose). > Things changed and JavaScript support was introduced Yes, but by mistake (the code that re-colors quotes in html email was ported to webkit, and javascript support is enabled there by default). Your phrasing makes it sound like it was "support that was added intentionnally", which wasn't the case. > The devels realize this, and quickly move to disable JavaScript. Yes (although we discovered it by investigating a crash due to the fact that remote images were starting to get loaded too, and then abruptly interrupted, something which got disabled at the same time). > It seems like JavaScript was never meant to be supported in KDE Pim, > so in light of that I'm going to assign this a CVE as JavaScript > introduces a significant number of security issues and also violated > the principle of least surprise. Makes sense to me. -- David Faure, faure@....org, http://www.davidfaure.fr Sponsored by Nokia to work on KDE, incl. KDE Frameworks 5
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.