Ubuntu
rekonq package

Embargoed security issue (until 10/3)

Bug #857437 reported by Scott Kitterman
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
arora (Ubuntu)
Won't Fix
Undecided
Unassigned
kde4libs (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
rekonq (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This is from the private KDE packagers mailing list.

Hello packagers,

This issue is embargoed until October 3rd.

On October 3rd we will release a security advisory (20111003-1)
regarding QLable spoofing. Tim Brown of Nth Dimension
(<email address hidden>) notified us that various dialog boxes are
able to be spoofed because QLabel's default behavior, rich text, is not
properly changed to plain text in important locations.

The CVEs are the following:

CVE-2011-3365 KDE KSSL
CVE-2011-3366 KDE Rekonq
CVE-2011-3367 Arora

As you can see, this affects multiple products, and not just KDE
products. At this time we have CVEs for KSSL, Rekonq, and Arora. I don't
have commit IDs for the last two, but I suggest checking with the
project maintainers or looking at their commit logs for the fixes
(keeping in mind the embargo, so private communication please).

The patch for KSSL for 4.6 is 9ca2b26fc67c3f921e1943c1725fca623e395854
and the patch for 4.7 is bd70d4e589711fda9ab07738c46e37eee8376214.

It is quite possible that Kleopatra will receive a CVE as well; I'll
update you on the status of that as I can.

Finally, we've been in touch with Qt maintainers. They will be posting a
blog article reminding developers to be careful with QLabel sanitizing,
and put a warning in the API documentation as well.

Thanks,
Jeff

Tags: patch
Revision history for this message
Scott Kitterman (kitterman) wrote :

Although this is embargoed, I noticed the kssl fix in KDE git yesterday and pointed it out to Ubuntu security. It's included in the KDE 4.6.5 SRU that we're preparing.

summary: - Embargoed security issue
+ Embargoed security issue (until 10/3)
Jamie Strandboge (jdstrand)
Changed in arora (Ubuntu):
status: New → Confirmed
Changed in kde4libs (Ubuntu):
status: New → Confirmed
Changed in rekonq (Ubuntu):
status: New → Confirmed
Revision history for this message
Romain Perier (rperier) wrote :

See the fix for oneiric in attachment

Revision history for this message
Romain Perier (rperier) wrote :

The fix for kde4libs in natty

Revision history for this message
Scott Kitterman (kitterman) wrote :

Published now.

http://www.kde.org/info/security/advisory-20111003-1.txt

visibility: private → public
Revision history for this message
Felix Geyer (debfx) wrote :

rekonq <= 0.7 seems to be using KSslInfoDialog from kdelibs and 0.7.90 already contains the fix.

Changed in rekonq (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Upstream says the following commits are necessary:

    4.6 branch: 9ca2b26f 90607b28
    4.7 branch: bd70d4e5 86622e4d
    frameworks: bd70d4e5 86622e4d

Which means the debdiffs in #2 and #3 are incomplete. NACK.

Revision history for this message
Scott Kitterman (kitterman) wrote :

I think kde4libs is fixed in natty-updates as part of the 4.6.5 upgrade.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Fix for kde4libs 4.7.1 in oneiric" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Jamie Strandboge (jdstrand)
Changed in arora (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in kde4libs (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in arora (Ubuntu):
status: Confirmed → In Progress
Changed in kde4libs (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Confirmed natty kde4libs is fixed

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Confirmed rekonq in natty and earlier does not have the affected code.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

arora is only affected if qt is compiled without ssl support. Marking "Won't Fix".

Changed in arora (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: In Progress → Won't Fix
Jamie Strandboge (jdstrand)
Changed in kde4libs (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Unsubscribing ubuntu-sponsors, as this is being handled by the security team.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

kde4libs is fixed now in Oneiric and Precise. I just unembargoed kde4libs for lucid-natty. Marking Fix Released.

Changed in kde4libs (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.