Embargoed security issue (until 10/3)

Bug #857437 reported by Scott Kitterman on 2011-09-23
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
arora (Ubuntu)
Undecided
Unassigned
kde4libs (Ubuntu)
Undecided
Jamie Strandboge
rekonq (Ubuntu)
Undecided
Unassigned

Bug Description

This is from the private KDE packagers mailing list.

Hello packagers,

This issue is embargoed until October 3rd.

On October 3rd we will release a security advisory (20111003-1)
regarding QLable spoofing. Tim Brown of Nth Dimension
(<email address hidden>) notified us that various dialog boxes are
able to be spoofed because QLabel's default behavior, rich text, is not
properly changed to plain text in important locations.

The CVEs are the following:

CVE-2011-3365 KDE KSSL
CVE-2011-3366 KDE Rekonq
CVE-2011-3367 Arora

As you can see, this affects multiple products, and not just KDE
products. At this time we have CVEs for KSSL, Rekonq, and Arora. I don't
have commit IDs for the last two, but I suggest checking with the
project maintainers or looking at their commit logs for the fixes
(keeping in mind the embargo, so private communication please).

The patch for KSSL for 4.6 is 9ca2b26fc67c3f921e1943c1725fca623e395854
and the patch for 4.7 is bd70d4e589711fda9ab07738c46e37eee8376214.

It is quite possible that Kleopatra will receive a CVE as well; I'll
update you on the status of that as I can.

Finally, we've been in touch with Qt maintainers. They will be posting a
blog article reminding developers to be careful with QLabel sanitizing,
and put a warning in the API documentation as well.

Thanks,
Jeff

Scott Kitterman (kitterman) wrote :

Although this is embargoed, I noticed the kssl fix in KDE git yesterday and pointed it out to Ubuntu security. It's included in the KDE 4.6.5 SRU that we're preparing.

summary: - Embargoed security issue
+ Embargoed security issue (until 10/3)
Changed in arora (Ubuntu):
status: New → Confirmed
Changed in kde4libs (Ubuntu):
status: New → Confirmed
Changed in rekonq (Ubuntu):
status: New → Confirmed
Romain Perier (rperier) wrote :

See the fix for oneiric in attachment

Romain Perier (rperier) wrote :

The fix for kde4libs in natty

Scott Kitterman (kitterman) wrote :
visibility: private → public
Felix Geyer (debfx) wrote :

rekonq <= 0.7 seems to be using KSslInfoDialog from kdelibs and 0.7.90 already contains the fix.

Changed in rekonq (Ubuntu):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Upstream says the following commits are necessary:

    4.6 branch: 9ca2b26f 90607b28
    4.7 branch: bd70d4e5 86622e4d
    frameworks: bd70d4e5 86622e4d

Which means the debdiffs in #2 and #3 are incomplete. NACK.

Scott Kitterman (kitterman) wrote :

I think kde4libs is fixed in natty-updates as part of the 4.6.5 upgrade.

The attachment "Fix for kde4libs 4.7.1 in oneiric" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Changed in arora (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kde4libs (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in arora (Ubuntu):
status: Confirmed → In Progress
Changed in kde4libs (Ubuntu):
status: Confirmed → In Progress
Jamie Strandboge (jdstrand) wrote :

Confirmed natty kde4libs is fixed

Jamie Strandboge (jdstrand) wrote :

Confirmed rekonq in natty and earlier does not have the affected code.

Jamie Strandboge (jdstrand) wrote :

arora is only affected if qt is compiled without ssl support. Marking "Won't Fix".

Changed in arora (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: In Progress → Won't Fix
Changed in kde4libs (Ubuntu):
status: In Progress → Fix Committed
Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-sponsors, as this is being handled by the security team.

Jamie Strandboge (jdstrand) wrote :

kde4libs is fixed now in Oneiric and Precise. I just unembargoed kde4libs for lucid-natty. Marking Fix Released.

Changed in kde4libs (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers