[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Added protection in KMail when accessing URLs to executables
From:       Jamie Strandboge <jamie () canonical ! com>
Date:       2009-02-26 23:10:47
Message-ID: 20090226231047.GO6712 () severus ! strandboge ! com
[Download RAW message or body]


Ubuntu was contacted by upstream and a public bug reported [1] regarding
an added protection[2] in KMail for when a user clicks on a link to an
executable in an HTML mail. Before this patch, when a user clicked on
such a link, KMail would prompt the user on whether or not to run the
executable. If the user chose to execute it, KMail would simply run the
executable. With the patch, if the user chooses to execute the code, KMail
will instead launch a helper program (or prompt the user to pick one) to
"view" the executable. Eg, if the user clicks the following URL in an HTML
email:
<a href="http://www.example.com/evil.desktop">For a good time, click me</a>

KMail will now open a viewer (or prompt to choose a viewer) so the user
can read the contents of the desktop file instead of executing it. This
probably does not warrant a CVE because the user always had to
explicitly tell KMail to execute the file, but Ubuntu will be releasing
new packages with this patch, and a corresponding advisory.

Jamie

[1] https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/332069
[2] http://websvn.kde.org/branches/KDE/4.1/kdepim/kmail/kmcommands.cpp?r1=927289&r2=927288&pathrev=927289

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]