Uncontrolled XMLHTTPRequest vulnerability

Bug #661416 reported by Felix Geyer on 2010-10-15
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kdelibs (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Steve Beattie
Maverick
Undecided
Steve Beattie

Bug Description

Binary package hint: kdelibs

In kdelibs 4:3.5.10.dfsg.1-3ubuntu1 the patch security_05_XMLHttpRequest_vulnerability.diff has been accidentally dropped.
It has been pushed to hardy-karmic some time ago and I just uploaded it to natty.
So currently lucid and maverick are vulnerable.

Felix Geyer (debfx) on 2010-10-15
visibility: private → public
Changed in kdelibs (Ubuntu):
status: New → Fix Released
Felix Geyer (debfx) wrote :

kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
  * Fix FTBFS: disable parallel building.

 -- Felix Geyer <email address hidden> Fri, 15 Oct 2010 21:19:11 +0200

Felix Geyer (debfx) wrote :

kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
  * Fix FTBFS: disable parallel building.

 -- Felix Geyer <email address hidden> Fri, 15 Oct 2010 21:19:11 +0200

Changed in kdelibs (Ubuntu Lucid):
status: New → Confirmed
Changed in kdelibs (Ubuntu Maverick):
status: New → Confirmed
Steve Beattie (sbeattie) wrote :

Thanks, I've done some local test builds and have uploaded these to the ubuntu-security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/ and will release them to the lucid and maverick security pocket soon.

Changed in kdelibs (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in kdelibs (Ubuntu Maverick):
status: Confirmed → Fix Committed
Changed in kdelibs (Ubuntu Lucid):
assignee: nobody → Steve Beattie (sbeattie)
Changed in kdelibs (Ubuntu Maverick):
assignee: nobody → Steve Beattie (sbeattie)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdelibs - 4:3.5.10.dfsg.1-3ubuntu2.10.04.1

---------------
kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
  * Fix FTBFS: disable parallel building.
 -- Felix Geyer <email address hidden> Fri, 15 Oct 2010 21:19:11 +0200

Changed in kdelibs (Ubuntu Lucid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdelibs - 4:3.5.10.dfsg.1-3ubuntu2.10.10.1

---------------
kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
  * Fix FTBFS: disable parallel building.
 -- Felix Geyer <email address hidden> Fri, 15 Oct 2010 21:19:11 +0200

Changed in kdelibs (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers