Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 26 Feb 2009 17:10:47 -0600
From: Jamie Strandboge <jamie@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Added protection in KMail when accessing URLs to executables

Ubuntu was contacted by upstream and a public bug reported [1] regarding
an added protection[2] in KMail for when a user clicks on a link to an
executable in an HTML mail. Before this patch, when a user clicked on
such a link, KMail would prompt the user on whether or not to run the
executable. If the user chose to execute it, KMail would simply run the
executable. With the patch, if the user chooses to execute the code, KMail
will instead launch a helper program (or prompt the user to pick one) to
"view" the executable. Eg, if the user clicks the following URL in an HTML
email:
<a href="http://www.example.com/evil.desktop">For a good time, click me</a>

KMail will now open a viewer (or prompt to choose a viewer) so the user
can read the contents of the desktop file instead of executing it. This
probably does not warrant a CVE because the user always had to
explicitly tell KMail to execute the file, but Ubuntu will be releasing
new packages with this patch, and a corresponding advisory.

Jamie

[1] https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/332069
[2] http://websvn.kde.org/branches/KDE/4.1/kdepim/kmail/kmcommands.cpp?r1=927289&r2=927288&pathrev=927289

-- 
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.