Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 17 Jul 2012 22:23:26 +0200
From: David Faure <faure@....org>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com, laurent Montel <montel@....org>, Vincent Danen <vdanen@...hat.com>, Marc Deslauriers <marc.deslauriers@...onical.com>, coley@...us.mitre.org, security@...ntu.com
Subject: Re: CVE Request: KDE Pim

On Tuesday 17 July 2012 13:37:38 Kurt Seifried wrote:
> The rendering engine/etc used by KDE Pim didn't support JavaScript

Yes (it was disabled from the html engine on purpose).

> Things changed and JavaScript support was introduced

Yes, but by mistake (the code that re-colors quotes in html email was ported 
to webkit, and javascript support is enabled there by default).
Your phrasing makes it sound like it was "support that was added 
intentionnally", which wasn't the case.

> The devels realize this, and quickly move to disable JavaScript.

Yes (although we discovered it by investigating a crash due to the fact that 
remote images were starting to get loaded too, and then abruptly interrupted, 
something which got disabled at the same time).

> It seems like JavaScript was never meant to be supported in KDE Pim,
> so in light of that I'm going to assign this a CVE as JavaScript
> introduces a significant number of security issues and also violated
> the principle of least surprise.

Makes sense to me.

-- 
David Faure, faure@....org, http://www.davidfaure.fr
Sponsored by Nokia to work on KDE, incl. KDE Frameworks 5

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.