Ubuntu
webkitkde package

security: Insufficient Input Validation By IO Slaves and Webkit Part

Bug #1393479 reported by Jonathan Riddell
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kde-runtime (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned
kio-extras (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Trusty
Invalid
Undecided
Unassigned
Utopic
Invalid
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned
webkitkde (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned

Bug Description

https://www.kde.org/info/security/advisory-20141113-1.txt

verview
========

kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly allowing to
some javascript being executed on the context of the referenced hostname. For example going to
   bookmarks://hhdhdhhdhdhdh.google.com/'><script>alert('bookmarks'+document.domain);</script>
in Konqueror makes a Javascript alert popup.

Impact
======

Whilst in most cases, the JavaScript will be executed in an untrusted context, with the bookmarks IO slave,
it will be executed in the context of the referenced hostname. In the example above, this is hhdhdhhdhdhdh.google.com.
It should however be noted that KDE mitigates this risk by attempting to ensure that such URLs cannot be embedded directly
into Internet hosted content.

Rohan Garg (rohangarg)
information type: Public → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webkitkde - 1.3.4-1ubuntu1

---------------
webkitkde (1.3.4-1ubuntu1) vivid; urgency=medium

  * SECURITY UPDATE: Insufficient Input Validation By IO Slaves and
    Webkit Part
   - Add upstream_cve-2014-8600.diff to escape protocol twice: once
     for i18n, and once for HTML
   - https://www.kde.org/info/security/advisory-20141113-1.txt
   - CVE-2014-8600
   - LP: #1393479
 -- Jonathan Riddell <email address hidden> Mon, 17 Nov 2014 17:44:29 +0100

Changed in webkitkde (Ubuntu Vivid):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kio-extras - 4:5.1.1-0ubuntu2

---------------
kio-extras (4:5.1.1-0ubuntu2) vivid; urgency=medium

  * SECURITY UPDATE: Insufficient Input Validation By IO Slaves and
    Webkit Part
   - Add upstream_CVE-2014-8600.diff to escape protocol twice: once
     for i18n, and once for HTML
   - https://www.kde.org/info/security/advisory-20141113-1.txt
   - CVE-2014-8600
   - LP: #1393479
 -- Jonathan Riddell <email address hidden> Tue, 18 Nov 2014 10:08:55 +0100

Changed in kio-extras (Ubuntu Vivid):
status: New → Fix Released
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :

The patch for webkitkde doesn't seem relevant for lucid, the code it patches doesn't exist

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-runtime - 4:4.14.2-0ubuntu2

---------------
kde-runtime (4:4.14.2-0ubuntu2) vivid; urgency=medium

  * SECURITY UPDATE: Insufficient Input Validation By IO Slaves and
    Webkit Part
   - Add upstream_CVE-2014-8600.diff to escape protocol twice: once
     for i18n, and once for HTML
   - https://www.kde.org/info/security/advisory-20141113-1.txt
   - CVE-2014-8600
   - LP: #1393479
 -- Jonathan Riddell <email address hidden> Mon, 17 Nov 2014 17:52:25 +0100

Changed in kde-runtime (Ubuntu Vivid):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-runtime - 4:4.13.3-0ubuntu0.2

---------------
kde-runtime (4:4.13.3-0ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Insufficient Input Validation By IO Slaves and
    Webkit Part
   - Add upstream_CVE-2014-8600.diff to escape protocol twice: once
     for i18n, and once for HTML
   - https://www.kde.org/info/security/advisory-20141113-1.txt
   - CVE-2014-8600
   - LP: #1393479
 -- Jonathan Riddell <email address hidden> Thu, 20 Nov 2014 15:36:39 +0100

Changed in kde-runtime (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webkitkde - 1.1.0git80efcf77-1ubuntu1

---------------
webkitkde (1.1.0git80efcf77-1ubuntu1) precise-security; urgency=medium

  * SECURITY UPDATE: Insufficient Input Validation By IO Slaves and
    Webkit Part
   - Add upstream_cve-2014-8600.diff to escape protocol twice: once
     for i18n, and once for HTML
   - https://www.kde.org/info/security/advisory-20141113-1.txt
   - CVE-2014-8600
   - LP: #1393479
 -- Jonathan Riddell <email address hidden> Thu, 20 Nov 2014 15:56:53 +0100

Changed in webkitkde (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-runtime - 4:4.14.1-0ubuntu1.1

---------------
kde-runtime (4:4.14.1-0ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: Insufficient Input Validation By IO Slaves and
    Webkit Part
   - Add upstream_CVE-2014-8600.diff to escape protocol twice: once
     for i18n, and once for HTML
   - https://www.kde.org/info/security/advisory-20141113-1.txt
   - CVE-2014-8600
   - LP: #1393479
 -- Jonathan Riddell <email address hidden> Thu, 20 Nov 2014 15:31:06 +0100

Changed in kde-runtime (Ubuntu Utopic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-runtime - 4:4.8.5-0ubuntu0.3

---------------
kde-runtime (4:4.8.5-0ubuntu0.3) precise-security; urgency=medium

  * SECURITY UPDATE: Insufficient Input Validation By IO Slaves and
    Webkit Part
   - Add upstream_CVE-2014-8600.diff to escape protocol twice: once
     for i18n, and once for HTML
   - https://www.kde.org/info/security/advisory-20141113-1.txt
   - CVE-2014-8600
   - LP: #1393479
 -- Jonathan Riddell <email address hidden> Thu, 20 Nov 2014 15:46:42 +0100

Changed in kde-runtime (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webkitkde - 1.3.4-1ubuntu0.1

---------------
webkitkde (1.3.4-1ubuntu0.1) utopic-security; urgency=medium

  * SECURITY UPDATE: Insufficient Input Validation By IO Slaves and
    Webkit Part
   - Add upstream_cve-2014-8600.diff to escape protocol twice: once
     for i18n, and once for HTML
   - https://www.kde.org/info/security/advisory-20141113-1.txt
   - CVE-2014-8600
   - LP: #1393479
 -- Jonathan Riddell <email address hidden> Mon, 17 Nov 2014 17:44:29 +0100

Changed in webkitkde (Ubuntu Utopic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webkitkde - 1.3~git20120518.9a111005-3ubuntu1

---------------
webkitkde (1.3~git20120518.9a111005-3ubuntu1) trusty-security; urgency=medium

  * SECURITY UPDATE: Insufficient Input Validation By IO Slaves and
    Webkit Part
   - Add upstream_cve-2014-8600.diff to escape protocol twice: once
     for i18n, and once for HTML
   - https://www.kde.org/info/security/advisory-20141113-1.txt
   - CVE-2014-8600
   - LP: #1393479
 -- Jonathan Riddell <email address hidden> Thu, 20 Nov 2014 15:56:53 +0100

Changed in webkitkde (Ubuntu Trusty):
status: New → Fix Released
Marc Deslauriers (mdeslaur)
Changed in kio-extras (Ubuntu Precise):
status: New → Invalid
Changed in kio-extras (Ubuntu Trusty):
status: New → Invalid
Changed in kio-extras (Ubuntu Utopic):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.