Subject: [ASA-201610-5] messagelib: multiple issues Arch Linux Security Advisory ASA-201610-5 ========================================= Severity: Medium Date : 2016-10-07 CVE-ID : CVE-2016-7967 CVE-2016-7968 Package : messagelib Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-44 Summary ======= The package messagelib before version 16.08.1-2 is vulnerable to multiple issues including cross-site scripting and insufficient validation. Resolution ========== Upgrade to 16.08.1-2. # pacman -Syu "messagelib>=16.08.1-2" The problems have been fixed upstream but no release is available yet. Workaround ========== None. Description =========== - CVE-2016-7967 (cross-site scripting) KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled. - CVE-2016-7968 (insufficient validation) KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed. Impact ====== An attacker is able to access local or remote urls via injected javascript. References ========== https://www.kde.org/info/security/advisory-20161006-1.txt https://www.kde.org/info/security/advisory-20161006-3.txt https://www.kde.org/info/security/advisory-20161006-2.txt http://seclists.org/oss-sec/2016/q4/23 http://seclists.org/oss-sec/2016/q4/21 https://security.archlinux.org/CVE-2016-7967 https://security.archlinux.org/CVE-2016-7968