oss-sec mailing list archives
Added protection in KMail when accessing URLs to executables
From: Jamie Strandboge <jamie () canonical com>
Date: Thu, 26 Feb 2009 17:10:47 -0600
Ubuntu was contacted by upstream and a public bug reported [1] regarding an added protection[2] in KMail for when a user clicks on a link to an executable in an HTML mail. Before this patch, when a user clicked on such a link, KMail would prompt the user on whether or not to run the executable. If the user chose to execute it, KMail would simply run the executable. With the patch, if the user chooses to execute the code, KMail will instead launch a helper program (or prompt the user to pick one) to "view" the executable. Eg, if the user clicks the following URL in an HTML email: <a href="http://www.example.com/evil.desktop">For a good time, click me</a> KMail will now open a viewer (or prompt to choose a viewer) so the user can read the contents of the desktop file instead of executing it. This probably does not warrant a CVE because the user always had to explicitly tell KMail to execute the file, but Ubuntu will be releasing new packages with this patch, and a corresponding advisory. Jamie [1] https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/332069 [2] http://websvn.kde.org/branches/KDE/4.1/kdepim/kmail/kmcommands.cpp?r1=927289&r2=927288&pathrev=927289 -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Added protection in KMail when accessing URLs to executables Jamie Strandboge (Feb 26)