XSS scripting vulnerability in kdelibs

Note: This is an email to the private KDE packagers email list.

Just as a reminder, this vulnerability will be made public on Monday.

The vulnerability is already fixed in natty (kde4libs 4.6.2).

debdiff for maverick

debdiff for lucid

The kde4libs in queue for maverick-proposed has this fix. debfx debdiff for maverick-security should still go out since the proposed upload will not get to end users for quite some time. No need to redo it for this issue thought.

The issue is public now.

http://www.nth-dimension.org.uk/downloads.php?id=82

http://www.kde.org/info/security/advisory-20110411-1.txt

Felix, thanks for the patches. I am preparing karmic-maverick uploads with your fixes along with a fix for CVE-2011-1094 (natty is not affected by this either).

Is there a public patch for CVE-2011-1094 (preferably for KDE 4.5)? I want to make sure it's covered in my kde4libs upload that's in queue for maverick-proposed.

4.4: http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=3735e2eed5e0d59fcb7732258f7e6128e60954b2
4.5: http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=23621737060e4df0fba238c25fb5b65f81181971

Felix gave the correct URLs, but I am going with a slightly modified patch for what is in maverick now (specifically I am continuing to use 'QRegExp domainMatcher' instead of isMatchingHostname() to minimize change). Attached in case you need it.

Thanks. I got that one already from my review of KDE Git yesterday, so
maverick-proposed is covered.

I redid kde4libs with your patch and will upload it shortly. I can just reject the old one, so there's no impact on the archive.

This bug was fixed in the package kde4libs - 4:4.5.1-0ubuntu8.1

---------------
kde4libs (4:4.5.1-0ubuntu8.1) maverick-security; urgency=low

  [ Felix Geyer ]
  * SECURITY UPDATE: fix XSS vulnerability in Konqueror's error pages
    - debian/patches/security_02_CVE-2011-1168.diff: upstream patch
    - CVE-2011-1168
    - LP: #743669

  [ Jamie Strandboge ]
  * SECURITY UPDATE: fix certificate verification for certificates issued
    against an IP address
    - debian/patches/security_03_CVE-2011-1094.diff: based on upstream patch
    - CVE-2011-1094
 -- Jamie Strandboge <email address hidden> Mon, 11 Apr 2011 10:13:52 -0500

This bug was fixed in the package kde4libs - 4:4.4.5-0ubuntu1.1

---------------
kde4libs (4:4.4.5-0ubuntu1.1) lucid-security; urgency=low

  [ Felix Geyer ]
  * SECURITY UPDATE: fix XSS vulnerability in Konqueror's error pages
    - debian/patches/security_02_CVE-2011-1168.diff: upstream patch
    - CVE-2011-1168
    - LP: #743669

  [ Jamie Strandboge ]
  * SECURITY UPDATE: fix certificate verification for certificates issued
    against an IP address
    - debian/patches/security_03_CVE-2011-1094.diff: based on upstream patch
    - CVE-2011-1094
 -- Jamie Strandboge <email address hidden> Mon, 11 Apr 2011 10:14:08 -0500

This bug was fixed in the package kde4libs - 4:4.3.2-0ubuntu7.3

---------------
kde4libs (4:4.3.2-0ubuntu7.3) karmic-security; urgency=low

  * SECURITY UPDATE: fix XSS vulnerability in Konqueror's error pages
    - debian/patches/security_03_CVE-2011-1168.diff: upstream patch
    - CVE-2011-1168
    - LP: #743669
  * SECURITY UPDATE: fix certificate verification for certificates issued
    against an IP address
    - debian/patches/security_04_CVE-2011-1094.diff: based on upstream patch
    - CVE-2011-1094
 -- Jamie Strandboge <email address hidden> Mon, 11 Apr 2011 10:19:40 -0500