Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <12931834.Zmy5xRxSLL@asterix.site>
Date: Tue, 17 Jul 2012 14:06:40 +0200
From: David Faure <faure@....org>
To: laurent Montel <montel@....org>
Cc: Vincent Danen <vdanen@...hat.com>, oss-security@...ts.openwall.com, Marc Deslauriers <marc.deslauriers@...onical.com>, coley@...us.mitre.org, security@...ntu.com
Subject: Re: CVE Request: KDE Pim

On Tuesday 17 July 2012 10:18:06 laurent Montel wrote:
> Security problem is that we allows to use javascript.
> In 4.4 we don't have it.

And here's a testcase for the actual bug.
In kmail, Ctrl+O, open this .mbox, click on the HTML version, enable HTML 
rendering, a javascript messagebox pops up.
Not sure what can really be exploited here (xmlhttprequest?), but at least 
this way one can prove that 4.4 isn't affected, and test the 4.9 fix.

-- 
David Faure, faure@....org, http://www.davidfaure.fr
Sponsored by Nokia to work on KDE, incl. KDE Frameworks 5

Download attachment "html.mbox" of type "application/mbox" (1692 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.