Fedora has issued an advisory on November 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CWRCGXLPJHM4OFD66BINH2FIMYHRCRKF/ This issue with loading remote content in thumbnailers was fixed upstream in 18.08.3 (I think they just disabled loading remote content). Upstream advisory from November 12: https://www.kde.org/info/security/advisory-20181012-1.txt
Fixed both Cauldron and mga6!
CC: (none) => geiger.david68210
Advisory: ======================== Updated kio-extras packages fix security vulnerability: The HTML thumbnailer was incorrectly accessing some content of remote URLs listed in HTML files. This meant that the owners of the servers referred in HTML files in your system could have seen in their access logs your IP address every time the thumbnailer tried to create the thumbnail (CVE-2018-19120). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19120 https://www.kde.org/info/security/advisory-20181012-1.txt https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CWRCGXLPJHM4OFD66BINH2FIMYHRCRKF/ ======================== Updated packages in core/updates_testing: ======================== kio-extras-17.12.2-4.1.mga6 libmolletnetwork17-17.12.2-4.1.mga6 libkioarchive5-17.12.2-4.1.mga6 libkioarchive-devel-17.12.2-4.1.mga6 kio-extras-handbook-17.12.2-4.1.mga6 from kio-extras-17.12.2-4.1.mga6.src.rpm
Assignee: kde => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. This seems to be all KDE (Plasma) stuff, but this laptop has no Plasma installed. But at least the update installed cleanly and no harm seems to be done.
CC: (none) => herman.viaene
Wanting to try M6/64... PRE-update: kio-extras-handbook-17.12.2-4.mga6 kio-extras-17.12.2-4.mga6 I have spent too long trying to raise the handbook, to discover how to invoke the HTML thumbnailer. The files installed by the handbook are very many: /usr/share/doc/HTML/[lang]/kioslave5/* [nothing in kioslave/] but not directly viewable. Taking 'en' as an example: $ pwd /usr/share/doc/HTML/en/kioslave5/ $ tree ... ├── help │ ├── documentationnotfound │ │ ├── index.cache.bz2 │ │ └── index.docbook │ ├── index.cache.bz2 │ └── index.docbook ... ├── thumbnail │ ├── index.cache.bz2 │ └── index.docbook ... I think 'thumbnail' is what we want. BTAIM I found no way from the KDE Help system of locating, let alone reading, it. If anybody can point the way, please do. Otherwise I shall go just for a clean update.
CC: (none) => lewyssmith
M6 x64 This thing is crazy. I already have kio-extras-17.12.2-4.mga6 & kio-extras-handbook-17.12.2-4.mga6 Thinking to add at least libmolletnetwork17 & libkioarchive5, these first wanted an obscure dependency, one of: 1- libmesaegl1-17.3.9-1.mga6.i586: Files for Mesa (EGL libs) (gosod) 2- x11-driver-video-vboxvideo-5.2.6-1.mga6.i586: The X.org driver for video in VirtualBox guests (gosod) Not willingly. 32-bit? And no VBox here. I accepted 1 which led to it wanting to install *82* pkgs. No thanks. I have already 'tested' a very similar bug using Kmail with HTML messages containing external elements, and that would be the best I could do beyond a clean update of just the two pkgs cited initially.. @ either David: Your view please.
Keywords: (none) => advisory
I would imagine this is used for creating thumbnails in Dolphin if you have it enabled. The urpmi question looks like a bug in the vitrualbox package.
Lewis, libmolletnetwork17-17.12.2-4.1.mga6 and libkioarchive5-17.12.2-4.1.mga6 are the 32-bit libraries, and if you select them it will no doubt seek to bring in many unwanted 32-bit dependencies. The 64-bit libraries are lib64molletnetwork17-17.12.2-4.1.mga6 and lib64kioarchive5-17.12.2-4.1.mga6, not on the list in Comment 2. Those are the packages you needed to install. If you installed your Plasma system from the 6.1 Live Plasma iso, the vboxvideo driver is installed, even ion real hardware. I don't know why. It doesn't seem to hurt anything, so I've just been leaving it there. I don't *think* it would hurt to remove it, but I don't know.
CC: (none) => andrewsfarm
Checking before installing anything, and while I have several preview types enabled in Dolphin, html was not among them. But, even after activating html previews, html file previews still did not show. I updated the following packages: kio-extras-17.12.2-4.1.mga6 lib64molletnetwork17-17.12.2-4.1.mga6 lib64kioarchive5-17.12.2-4.1.mga6 and then installed kio-extras-handbook-17.12.2-4.1.mga6. I then went back to Dolphin, and still had all the previews I did before. I did not have any new ones, including html previews. Looking further, I see the vulnerability discussed at https://bugzilla.redhat.com/show_bug.cgi?id=1649420 where they state "The HTML thumbnailer has been removed in upcoming KDE Applications 18.12.0 because it was actually not creating thumbnails for files at all." So I guess that I shouldn't be surprised that I'm not seeing any html thumbnails. This is OK for 64-bit. Validating.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Thanks TJ for doing this; and reminding me of the obvious question of lib... v lib64... which trap I had completely forgotten. I am too rusty - barking up wrong trees, not even having explored what uses kio-extras:- dolphin gwenview plasma-desktop My entire c5 is nonsense (probably also c4)!
After having the QA Repo tool fail on me a few times when I tried a simple copy-and-paste to enter the needed file list, I have learned to look for the lib64 thing almost automatically. You will, too.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0477.html
Status: NEW => RESOLVEDResolution: (none) => FIXED