Ubuntu
kdelibs package

Uncontrolled XMLHTTPRequest vulnerability

Bug #661416 reported by Felix Geyer
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kdelibs (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Steve Beattie
Maverick
Fix Released
Undecided
Steve Beattie

Bug Description

Binary package hint: kdelibs

In kdelibs 4:3.5.10.dfsg.1-3ubuntu1 the patch security_05_XMLHttpRequest_vulnerability.diff has been accidentally dropped.
It has been pushed to hardy-karmic some time ago and I just uploaded it to natty.
So currently lucid and maverick are vulnerable.

Felix Geyer (debfx)
visibility: private → public
Changed in kdelibs (Ubuntu):
status: New → Fix Released
Revision history for this message
Felix Geyer (debfx) wrote :

kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
  * Fix FTBFS: disable parallel building.

 -- Felix Geyer <email address hidden> Fri, 15 Oct 2010 21:19:11 +0200

Revision history for this message
Felix Geyer (debfx) wrote :

kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
  * Fix FTBFS: disable parallel building.

 -- Felix Geyer <email address hidden> Fri, 15 Oct 2010 21:19:11 +0200

Changed in kdelibs (Ubuntu Lucid):
status: New → Confirmed
Changed in kdelibs (Ubuntu Maverick):
status: New → Confirmed
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks, I've done some local test builds and have uploaded these to the ubuntu-security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/ and will release them to the lucid and maverick security pocket soon.

Changed in kdelibs (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in kdelibs (Ubuntu Maverick):
status: Confirmed → Fix Committed
Changed in kdelibs (Ubuntu Lucid):
assignee: nobody → Steve Beattie (sbeattie)
Changed in kdelibs (Ubuntu Maverick):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdelibs - 4:3.5.10.dfsg.1-3ubuntu2.10.04.1

---------------
kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.04.1) lucid-security; urgency=low

  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
  * Fix FTBFS: disable parallel building.
 -- Felix Geyer <email address hidden> Fri, 15 Oct 2010 21:19:11 +0200

Changed in kdelibs (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kdelibs - 4:3.5.10.dfsg.1-3ubuntu2.10.10.1

---------------
kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
  * Fix FTBFS: disable parallel building.
 -- Felix Geyer <email address hidden> Fri, 15 Oct 2010 21:19:11 +0200

Changed in kdelibs (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.