Fwd: [kde-announce] KDE Project Security Advisory: kio-extras: HTML Thumbnailer automatic
valorie.zimmerman at gmail.com
Wed Nov 14 02:47:47 UTC 2018
---------- Forwarded message ---------
From: Jonathan Riddell <jr at jriddell.org>
Date: Tue, Nov 13, 2018 at 8:01 AM
Subject: Re: [kde-announce] KDE Project Security Advisory: kio-extras: HTML
To: <neon at kde.org>
I've patched our package to not make this file too
On Mon, Nov 12, 2018 at 06:55:00PM +0100, Albert Astals Cid wrote:
> remote file access
> KDE Project Security Advisory
> Title: kio-extras: HTML Thumbnailer automatic remote file access
> Risk Rating: Low
> CVE: CVE-2018-19120
> Versions: KDE Applications < 18.12.0
> Date: 12 November 2018
> Various KDE applications share a plugin system to create thumbnails
> of various file types for displaying in file managers, file dialogs, etc.
> kio-extras contains a thumbnailer plugin for HTML files.
> The HTML thumbnailer was incorrectly accessing some content of
> remote URLs listed in HTML files. This meant that the owners of the
> referred in HTML files in your system could have seen in their access logs
> your IP address every time the thumbnailer tried to create the thumbnail.
> The HTML thumbnailer has been removed in upcoming KDE Applications 18.12.0
> because it was actually not creating thumbnails for files at all.
> Remove the HTML Thumbnailer plugin from your system.
> The file name is htmlthumbnail.so and should be in your Qt plugin path.
> The Qt plugin path can be queried with
> qmake -query QT_INSTALL_PLUGINS
> Update to KDE Applications >= 18.12.0
> Thanks to Dennis "demlak" Klose for the report.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the kubuntu-devel