Add ruqola advisory

CCMAIL: kde-security-preannounce@kde.org

Add ruqola advisory
CCMAIL: kde-security-preannounce@kde.org
a097f13f · David Faure · a33d4826 · a097f13f · a097f13f
Commit a097f13f authored Nov 29, 2022 by David Faure
--- a/content/info/security/advisory-20221129-1.txt
+++ b/content/info/security/advisory-20221129-1.txt
+KDE Project Security Advisory
+=============================
+
+Title:           Ruqola: server info dialog can execute local binary
+Risk Rating:     Low
+Versions:        Ruqola <= 1.8.1
+Author:          David Faure <faure@kde.org>
+Date:            24 November 2022
+
+Overview
+========
+
+A user can be tricked into launching a local executable from Ruqola.
+
+An attacker could document that users should configure a rocket chat server with a local file URL pointing to an executable. Uninformed users who would then click on the URL in the "Server Info" dialog box would end up launching this local executable unexpectedly.
+
+Impact
+======
+
+Depends on the local executable being launched.
+If the attacker ensures that a malicious shell script exists somewhere in the system
+first, by other means, this could be a way to get the user to execute it.
+
+Workaround
+==========
+
+Not clicking on the "Server URL" in the "Server Info" dialog box.
+
+Solution
+========
+
+Update to Ruqola 5.8.2
+or apply this patch: https://invent.kde.org/network/ruqola/-/commit/2c4ad7efd0fd30c
+
+Credits
+=======
+
+Thanks to Mishra Dhiraj for reporting the issue.
+Thanks to Laurent Montel for fixing the issue.
+Thanks to both of them for reviewing the advisory.
+
--- a/content/info/security/index.md
+++ b/content/info/security/index.md
@@ -38,6 +38,7 @@ The KDE Security Advisories are crosslinked in the KDE Information Pages of
 the KDE versions to which they apply to. The listing below is in chronological
 order.

+ <a href="./advisory-20221129-1.txt">2022-11-29 Ruqola: server info dialog can execute local binary</a>
 + <a href="./advisory-20220216-1.txt">2022-02-16 kcron: Invalid temporary file handling.</a>
 + <a href="./advisory-20220131-1.txt">2022-01-31 KTextEditor/Kate: Missing validation of binaries executed via QProcess.</a>
 + <a href="./advisory-20211118-1.txt">2021-11-18 KMail: Encryption is ignored when "Server requires authentication" not checked in UI.</a>