Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 Jul 2012 22:23:26 +0200
From: David Faure <faure@....org>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, laurent Montel <montel@....org>, Vincent Danen <vdanen@...hat.com>, Marc Deslauriers <marc.deslauriers@...onical.com>, coley@...us.mitre.org, security@...ntu.com
Subject: Re: CVE Request: KDE Pim

On Tuesday 17 July 2012 13:37:38 Kurt Seifried wrote:
> The rendering engine/etc used by KDE Pim didn't support JavaScript

Yes (it was disabled from the html engine on purpose).

> Things changed and JavaScript support was introduced

Yes, but by mistake (the code that re-colors quotes in html email was ported 
to webkit, and javascript support is enabled there by default).
Your phrasing makes it sound like it was "support that was added 
intentionnally", which wasn't the case.

> The devels realize this, and quickly move to disable JavaScript.

Yes (although we discovered it by investigating a crash due to the fact that 
remote images were starting to get loaded too, and then abruptly interrupted, 
something which got disabled at the same time).

> It seems like JavaScript was never meant to be supported in KDE Pim,
> so in light of that I'm going to assign this a CVE as JavaScript
> introduces a significant number of security issues and also violated
> the principle of least surprise.

Makes sense to me.

-- 
David Faure, faure@....org, http://www.davidfaure.fr
Sponsored by Nokia to work on KDE, incl. KDE Frameworks 5

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.