| Name | CVE-2016-7967 |
| Description | KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| kf5-messagelib (PTS) | buster | 4:18.08.3-2 | fixed |
| bullseye | 4:20.08.3-5 | fixed |
| bookworm | 4:22.12.3-2~deb12u1 | fixed |
| trixie | 4:22.12.3-2 | fixed |
| sid | 4:22.12.3-2.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| kf5-messagelib | source | (unstable) | (not affected) | | | |
Notes
- kf5-messagelib <not-affected> (Doesn't use qtwebengine, see bug #853241)
https://www.kde.org/info/security/advisory-20161006-2.txt
Fixed by: https://github.com/KDE/messagelib/commit/dfc6a86f1b25f1da04b8f1df5320fcdd7085bcc1 (16.11.80)
The issue is mitigated with the fixes applied for CVE-2016-7966, and a
user protected from this CVE by only viewing plain text mails.