Ubuntu
kdepim package

code execution when following links

Bug #332069 reported by Jonathan Riddell on 2009-02-20

254

	Status	Importance	Assigned to
kdepim (Ubuntu)	Fix Released	Undecided	Unassigned
Dapper	Fix Released	Undecided	Jamie Strandboge
Gutsy	Fix Released	Undecided	Jamie Strandboge
Hardy	Fix Released	Undecided	Jamie Strandboge
Intrepid	Fix Released	Undecided	Jamie Strandboge
Jaunty	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: kdepim

Upstream reported a potential security problem in kmail

Clicking on a link inside a mail in
KMail can potentially execute code without asking the user, if the link points
to a desktop file or a .exe that is associated with Wine, or similar.
This problem happens in all KMail versions.

Related branches

lp:ubuntu/karmic/kdepim

lp:ubuntu/dapper-security/kdepim

lp:ubuntu/gutsy-security/kdepim

lp:ubuntu/hardy-security/kdepim

lp:ubuntu/intrepid-security/kdepim

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-02-20:

This bug was fixed in the package kdepim - 4:4.2.0-0ubuntu8

---------------
kdepim (4:4.2.0-0ubuntu8) jaunty; urgency=low

* Add kubuntu_02_kmail_file_execution.diff, don't run
executable programmes from links, LP: #332069

-- Jonathan Riddell <email address hidden> Fri, 20 Feb 2009 14:40:23 +0000

Changed in kdepim:
status:	New → Fix Released

Revision history for this message

Jonathan Riddell (jr) wrote on 2009-02-20:

kdepim_4.1.4-0ubuntu1~intrepid2.1.debdiff Edit (2.7 KiB, text/plain)

Revision history for this message

Jonathan Riddell (jr) wrote on 2009-02-20:

kdepim_4.1.4-0ubuntu1~intrepid2.1.debdiff Edit (1.5 KiB, text/plain)

SRU patch for intrepid (ignore previous one).

Revision history for this message

Jonathan Riddell (jr) wrote on 2009-02-20:

kdepim_3.5.10-0ubuntu1~hardy3.1.debdiff Edit (1.3 KiB, text/plain)

Revision history for this message

Jonathan Riddell (jr) wrote on 2009-02-20:

kdepim_3.5.10-0ubuntu1~hardy3.1.debdiff Edit (1.3 KiB, text/plain)

Same patch as above with correct distro series set in debian/changelog

Jamie Strandboge (jdstrand) on 2009-02-23

Changed in kdepim:
status:	New → In Progress
assignee:	nobody → jdstrand
status:	New → In Progress
assignee:	nobody → jdstrand
status:	New → In Progress
assignee:	nobody → jdstrand
status:	New → In Progress
assignee:	nobody → jdstrand

Jamie Strandboge (jdstrand) on 2009-02-23

Changed in kdepim:
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-02-26:

This bug was fixed in the package kdepim - 4:3.5.7enterprise20070926-0ubuntu2.2

---------------
kdepim (4:3.5.7enterprise20070926-0ubuntu2.2) gutsy-security; urgency=low

  * SECURITY UPDATE: KMail file execution vulnerability (LP: #332069).
   - Add kubuntu_13_kmail_file_execution.diff patch from upstream
     http://websvn.kde.org/?view=rev&revision=927289
   - Sets KRun to not run executables
   - Based on patch from Jonathan Riddell

-- Jamie Strandboge <email address hidden> Fri, 20 Feb 2009 15:42:14 -0600

Changed in kdepim:
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-02-26:

This bug was fixed in the package kdepim - 4:3.5.10-0ubuntu1~hardy3.1

---------------
kdepim (4:3.5.10-0ubuntu1~hardy3.1) hardy-security; urgency=low

  * SECURITY UPDATE: KMail file execution vulnerability (LP: #332069).
   - Add kubuntu_02_kmail_file_execution.diff patch from upstream
     http://websvn.kde.org/?view=rev&revision=927289
   - Sets KRun to not run executables

-- Jonathan Riddell <email address hidden> Fri, 20 Feb 2009 15:21:22 +0000

Changed in kdepim:
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-02-26:

This bug was fixed in the package kdepim - 4:4.1.4-0ubuntu1~intrepid2.1

---------------
kdepim (4:4.1.4-0ubuntu1~intrepid2.1) intrepid-security; urgency=low

-- Jonathan Riddell <email address hidden> Fri, 20 Feb 2009 14:26:13 +0000

Changed in kdepim:
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-02-26:

kdepim (4:3.5.2-0ubuntu6.1) dapper-security; urgency=low

Changed in kdepim:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntukdepim package

code execution when following links

Bug Description

Related branches

Other bug subscribers

Patches

Remote bug watches

Ubuntu
kdepim package