CVE-2016-7968

NameCVE-2016-7968
DescriptionKMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kf5-messagelib (PTS)stretch4:16.04.3-3~deb9u1fixed
buster4:18.08.3-2fixed
bullseye4:20.08.3-5fixed
bookworm4:22.12.3-2~deb12u1fixed
sid, trixie4:22.12.3-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kf5-messagelibsource(unstable)(not affected)

Notes

- kf5-messagelib <not-affected> (Doesn't use qtwebengine, see bug #853241)
https://www.kde.org/info/security/advisory-20161006-3.txt
Would by fixed by: https://github.com/KDE/messagelib/commit/f601f9ffb706f7d3a5893b04f067a1f75da62c99
and building with Qt 5.7.0.
Following patches partly sanitize mails but still make it possible to inject code:
https://github.com/KDE/messagelib/commit/3503b75e9c79c3861e182588a0737baf165abd23 (v16.08.2)
https://github.com/KDE/messagelib/commit/a8744798dfdf8e41dd6a378e48662c66302b0019 (v16.08.2)
https://github.com/KDE/messagelib/commit/77976584a4ed2797437a2423704abdd7ece7834a (v16.08.2)
https://github.com/KDE/messagelib/commit/fb1be09360c812d24355076da544030a67b736fc (v16.08.2)
https://github.com/KDE/messagelib/commit/0402c17a8ead92188971cb604d905b3072d56a73 (v16.08.2)
The issue is mitigated with the fixes applied for CVE-2016-7966, and a
user protected from this CVE by only viewing plain text mails.

Search for package or bug name: Reporting problems