XSS scripting vulnerability in kdelibs

Bug #743669 reported by Scott Kitterman on 2011-03-27
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kde4libs (Ubuntu)
Medium
Unassigned
Karmic
Medium
Jamie Strandboge
Lucid
Medium
Jamie Strandboge
Maverick
Medium
Jamie Strandboge
Natty
Medium
Unassigned

Bug Description

Jeff Mitchell <email address hidden> wrote:

>Hello packagers,
>
>Tim Brown of Nth Dimension reported a vulnerability on Konqueror's
>error
>pages that could allow a XSS attack. It has been assigned
>CVE-2011-1168.
>Maksim Orlovich has provided the patch from the KDE side.
>
>After discussion we have decided to make the patches public from today,
>but to keep the details embargoed until KDE and Nth Security issue
>their
>respective security advisories, which will take place on April 11th --
>two weeks from today.
>
>The commits fixing the issue are the following:
>
>4.4: afaaf24
>4.5: da03cc0
>4.6: 8b06e2c
>trunk: aaa8c42
>
>You can get patches here:
>
>4.4:
>http://quickgit.kde.org/?p=kdelibs.git&a=blobdiff_plain&h=52a3a464960be6c9b05f593e3d424a5b80560d03&hp=77dc792cb2e2c79e3872060d23c1913304ff8427&f=khtml/khtml_part.cpp
>
>4.5:
>http://quickgit.kde.org/?p=kdelibs.git&a=blobdiff_plain&h=5d4b9b5a197f191b641712782479ff45b95c8b49&hp=6af7d4a0f525cfb7c70c0c613794afff86b81ba9&f=khtml/khtml_part.cpp
>
>4.6:
>http://quickgit.kde.org/?p=kdelibs.git&a=blobdiff_plain&h=fda41ceaa6e5ce7cbb50312cbe12be7a6f056c79&hp=d4098c3eadb0e3238643be749073dd54c22a5bbc&f=khtml/khtml_part.cpp
>
>trunk:
>http://quickgit.kde.org/?p=kdelibs.git&a=blobdiff_plain&h=ec89b0c8083989afb52ebde714e1fe757ab2e387&hp=35c1d30a781646138b5d74a00508390e1df707e7&f=khtml/khtml_part.cpp
>
>Thanks,
>Jeff
>_______________________________________________
>Kde-packager mailing list
><email address hidden>
>https://mail.kde.org/mailman/listinfo/kde-packager

Scott Kitterman (kitterman) wrote :

Note: This is an email to the private KDE packagers email list.

Changed in kde4libs (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Scott Kitterman (kitterman) wrote :

Just as a reminder, this vulnerability will be made public on Monday.

Felix Geyer (debfx) wrote :

The vulnerability is already fixed in natty (kde4libs 4.6.2).

Felix Geyer (debfx) wrote :

debdiff for maverick

Felix Geyer (debfx) wrote :

debdiff for lucid

Scott Kitterman (kitterman) wrote :

The kde4libs in queue for maverick-proposed has this fix. debfx debdiff for maverick-security should still go out since the proposed upload will not get to end users for quite some time. No need to redo it for this issue thought.

Changed in kde4libs (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kde4libs (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kde4libs (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kde4libs (Ubuntu Natty):
importance: High → Medium
status: Confirmed → Invalid
Scott Kitterman (kitterman) wrote :
visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Felix, thanks for the patches. I am preparing karmic-maverick uploads with your fixes along with a fix for CVE-2011-1094 (natty is not affected by this either).

Changed in kde4libs (Ubuntu Lucid):
status: Triaged → In Progress
Changed in kde4libs (Ubuntu Maverick):
status: Triaged → In Progress
Changed in kde4libs (Ubuntu Karmic):
status: Triaged → In Progress
Scott Kitterman (kitterman) wrote :

Is there a public patch for CVE-2011-1094 (preferably for KDE 4.5)? I want to make sure it's covered in my kde4libs upload that's in queue for maverick-proposed.

Jamie Strandboge (jdstrand) wrote :

Felix gave the correct URLs, but I am going with a slightly modified patch for what is in maverick now (specifically I am continuing to use 'QRegExp domainMatcher' instead of isMatchingHostname() to minimize change). Attached in case you need it.

Thanks. I got that one already from my review of KDE Git yesterday, so
maverick-proposed is covered.

Scott Kitterman (kitterman) wrote :

I redid kde4libs with your patch and will upload it shortly. I can just reject the old one, so there's no impact on the archive.

Changed in kde4libs (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in kde4libs (Ubuntu Maverick):
status: In Progress → Fix Committed
Changed in kde4libs (Ubuntu Karmic):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.5.1-0ubuntu8.1

---------------
kde4libs (4:4.5.1-0ubuntu8.1) maverick-security; urgency=low

  [ Felix Geyer ]
  * SECURITY UPDATE: fix XSS vulnerability in Konqueror's error pages
    - debian/patches/security_02_CVE-2011-1168.diff: upstream patch
    - CVE-2011-1168
    - LP: #743669

  [ Jamie Strandboge ]
  * SECURITY UPDATE: fix certificate verification for certificates issued
    against an IP address
    - debian/patches/security_03_CVE-2011-1094.diff: based on upstream patch
    - CVE-2011-1094
 -- Jamie Strandboge <email address hidden> Mon, 11 Apr 2011 10:13:52 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.4.5-0ubuntu1.1

---------------
kde4libs (4:4.4.5-0ubuntu1.1) lucid-security; urgency=low

  [ Felix Geyer ]
  * SECURITY UPDATE: fix XSS vulnerability in Konqueror's error pages
    - debian/patches/security_02_CVE-2011-1168.diff: upstream patch
    - CVE-2011-1168
    - LP: #743669

  [ Jamie Strandboge ]
  * SECURITY UPDATE: fix certificate verification for certificates issued
    against an IP address
    - debian/patches/security_03_CVE-2011-1094.diff: based on upstream patch
    - CVE-2011-1094
 -- Jamie Strandboge <email address hidden> Mon, 11 Apr 2011 10:14:08 -0500

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.3.2-0ubuntu7.3

---------------
kde4libs (4:4.3.2-0ubuntu7.3) karmic-security; urgency=low

  * SECURITY UPDATE: fix XSS vulnerability in Konqueror's error pages
    - debian/patches/security_03_CVE-2011-1168.diff: upstream patch
    - CVE-2011-1168
    - LP: #743669
  * SECURITY UPDATE: fix certificate verification for certificates issued
    against an IP address
    - debian/patches/security_04_CVE-2011-1094.diff: based on upstream patch
    - CVE-2011-1094
 -- Jamie Strandboge <email address hidden> Mon, 11 Apr 2011 10:19:40 -0500

Changed in kde4libs (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in kde4libs (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in kde4libs (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers