svn commit: r486149 - in head/net/messagelib: . files

Tobias C. Berner tcberner at FreeBSD.org
Wed Nov 28 21:13:55 UTC 2018 

Author: tcberner
Date: Wed Nov 28 21:13:54 2018
New Revision: 486149
URL: https://svnweb.freebsd.org/changeset/ports/486149

Log:
  net/messagelib: address CVE-2018-19516
  
  messagelib is the library used by KMail to display emails.
  
  messagelib by default displays emails as plain text, but gives the user
  an option to "Prefer HTML to plain text" in the settings and if that option
  is not enabled there is way to enable HTML display when an email contains HTML.
  
  Some HTML emails can trick messagelib into opening a new browser window when
  displaying said email as HTML.
  
  This happens even if the option to allow the HTML emails to access
  remote servers is disabled in KMail settings.
  
  This means that the owners of the servers referred in the email can see
  in their access logs your IP address.
  
  https://www.kde.org/info/security/advisory-20181128-1.txt
  
  MFH:		2018Q4
  Security:	c7b1af20-f34f-11e8-9cde-e0d55e2a8bf9

Added:
  head/net/messagelib/files/
  head/net/messagelib/files/patch-git_347659   (contents, props changed)
Modified:
  head/net/messagelib/Makefile

Modified: head/net/messagelib/Makefile
==============================================================================
--- head/net/messagelib/Makefile	Wed Nov 28 21:07:31 2018	(r486148)
+++ head/net/messagelib/Makefile	Wed Nov 28 21:13:54 2018	(r486149)
@@ -2,7 +2,7 @@
 
 PORTNAME=	messagelib
 DISTVERSION=	${KDE_APPLICATIONS_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net kde kde-applications
 
 MAINTAINER=	kde at FreeBSD.org

Added: head/net/messagelib/files/patch-git_347659
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net/messagelib/files/patch-git_347659	Wed Nov 28 21:13:54 2018	(r486149)
@@ -0,0 +1,19 @@
+From 34765909cdf8e55402a8567b48fb288839c61612 Mon Sep 17 00:00:00 2001
+From: Laurent Montel <montel at kde.org>
+Date: Fri, 23 Nov 2018 07:37:02 +0100
+Subject: Exclude Refresh from MetaData (Not necessary)
+
+--- messageviewer/src/messagepartthemes/default/defaultrenderer.cpp.orig	2018-10-31 06:56:07 UTC
++++ messageviewer/src/messagepartthemes/default/defaultrenderer.cpp
+@@ -308,6 +308,11 @@ QString processHtml(const QString &htmlSource, QString
+             return htmlSource;
+         }
+         extraHead = s.mid(startIndex + 6 , endIndex - startIndex - 6);
++        //Don't authorize to refresh content.
++        if (s.contains(QStringLiteral("http-equiv=\"REFRESH\""), Qt::CaseInsensitive)) {
++            extraHead.clear();
++        }
++
+         s = s.mid(endIndex + 7).trimmed();
+     }
+

More information about the svn-ports-all mailing list