Embargoed security issue (until 10/3)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
arora (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
kde4libs (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
rekonq (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This is from the private KDE packagers mailing list.
Hello packagers,
This issue is embargoed until October 3rd.
On October 3rd we will release a security advisory (20111003-1)
regarding QLable spoofing. Tim Brown of Nth Dimension
(<email address hidden>) notified us that various dialog boxes are
able to be spoofed because QLabel's default behavior, rich text, is not
properly changed to plain text in important locations.
The CVEs are the following:
CVE-2011-3365 KDE KSSL
CVE-2011-3366 KDE Rekonq
CVE-2011-3367 Arora
As you can see, this affects multiple products, and not just KDE
products. At this time we have CVEs for KSSL, Rekonq, and Arora. I don't
have commit IDs for the last two, but I suggest checking with the
project maintainers or looking at their commit logs for the fixes
(keeping in mind the embargo, so private communication please).
The patch for KSSL for 4.6 is 9ca2b26fc67c3f9
and the patch for 4.7 is bd70d4e589711fd
It is quite possible that Kleopatra will receive a CVE as well; I'll
update you on the status of that as I can.
Finally, we've been in touch with Qt maintainers. They will be posting a
blog article reminding developers to be careful with QLabel sanitizing,
and put a warning in the API documentation as well.
Thanks,
Jeff
Changed in arora (Ubuntu): | |
status: | New → Confirmed |
Changed in kde4libs (Ubuntu): | |
status: | New → Confirmed |
Changed in rekonq (Ubuntu): | |
status: | New → Confirmed |
Changed in arora (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in kde4libs (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in arora (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in kde4libs (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in kde4libs (Ubuntu): | |
status: | In Progress → Fix Committed |
Although this is embargoed, I noticed the kssl fix in KDE git yesterday and pointed it out to Ubuntu security. It's included in the KDE 4.6.5 SRU that we're preparing.