svn commit: r486149 - in head/net/messagelib: . files
Tobias C. Berner
tcberner at FreeBSD.org
Wed Nov 28 21:13:55 UTC 2018
Author: tcberner
Date: Wed Nov 28 21:13:54 2018
New Revision: 486149
URL: https://svnweb.freebsd.org/changeset/ports/486149
Log:
net/messagelib: address CVE-2018-19516
messagelib is the library used by KMail to display emails.
messagelib by default displays emails as plain text, but gives the user
an option to "Prefer HTML to plain text" in the settings and if that option
is not enabled there is way to enable HTML display when an email contains HTML.
Some HTML emails can trick messagelib into opening a new browser window when
displaying said email as HTML.
This happens even if the option to allow the HTML emails to access
remote servers is disabled in KMail settings.
This means that the owners of the servers referred in the email can see
in their access logs your IP address.
https://www.kde.org/info/security/advisory-20181128-1.txt
MFH: 2018Q4
Security: c7b1af20-f34f-11e8-9cde-e0d55e2a8bf9
Added:
head/net/messagelib/files/
head/net/messagelib/files/patch-git_347659 (contents, props changed)
Modified:
head/net/messagelib/Makefile
Modified: head/net/messagelib/Makefile
==============================================================================
--- head/net/messagelib/Makefile Wed Nov 28 21:07:31 2018 (r486148)
+++ head/net/messagelib/Makefile Wed Nov 28 21:13:54 2018 (r486149)
@@ -2,7 +2,7 @@
PORTNAME= messagelib
DISTVERSION= ${KDE_APPLICATIONS_VERSION}
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= net kde kde-applications
MAINTAINER= kde at FreeBSD.org
Added: head/net/messagelib/files/patch-git_347659
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/net/messagelib/files/patch-git_347659 Wed Nov 28 21:13:54 2018 (r486149)
@@ -0,0 +1,19 @@
+From 34765909cdf8e55402a8567b48fb288839c61612 Mon Sep 17 00:00:00 2001
+From: Laurent Montel <montel at kde.org>
+Date: Fri, 23 Nov 2018 07:37:02 +0100
+Subject: Exclude Refresh from MetaData (Not necessary)
+
+--- messageviewer/src/messagepartthemes/default/defaultrenderer.cpp.orig 2018-10-31 06:56:07 UTC
++++ messageviewer/src/messagepartthemes/default/defaultrenderer.cpp
+@@ -308,6 +308,11 @@ QString processHtml(const QString &htmlSource, QString
+ return htmlSource;
+ }
+ extraHead = s.mid(startIndex + 6 , endIndex - startIndex - 6);
++ //Don't authorize to refresh content.
++ if (s.contains(QStringLiteral("http-equiv=\"REFRESH\""), Qt::CaseInsensitive)) {
++ extraHead.clear();
++ }
++
+ s = s.mid(endIndex + 7).trimmed();
+ }
+
More information about the svn-ports-all
mailing list