Bug 1164293 (CVE-2014-8600)
| Summary: | CVE-2014-8600 kwebkitpart, kde-runtime: Insufficient Input Validation By IO Slaves and Webkit Part | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | alekcejk, dvratil, jgrulich, jreznik, kevin, ltinkl, mbriza, rdieter, rnovacek, sisharma, than |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-03-17 09:34:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1164607, 1164608, 1164609 | ||
| Bug Blocks: | 1164295 | ||
Created kwebkitpart tracking bugs for this issue: Affects: fedora-all [bug 1164607] Affects: epel-7 [bug 1164608] Created kde-runtime tracking bugs for this issue: Affects: fedora-all [bug 1164609] kde-runtime-4.14.3-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. kwebkitpart-1.3.4-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. kwebkitpart-1.3.4-5.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. kde-runtime-4.14.3-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. kwebkitpart-1.3.4-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. kwebkitpart-1.3.4-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Analysis
========
In the code of kdebase-runtime and kde-runtime for bookmarks kio slave, urls are not handled properly leading to cross-site-scripting (XSS). Problem exists in the following code
void BookmarksProtocol::get( const KUrl& url )
{
QString path = url.path();
QRegExp regexp("^/(background|icon)/([\\S]+)");
1. Value of variable 'path' is not sanitized properly here which allows javascript to run in untrusted context leading to cross-site-scripting XSS. Impact of this flaw is very low.
echo("<p class=\"message\">" + i18n("Wrong request: %1",path) + "</p>");
}
finished();
}
|
From the upstream advisory: Overview ======== kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly allowing to some javascript being executed on the context of the referenced hostname. For example going to bookmarks://hhdhdhhdhdhdh.google.com/'><script>alert('bookmarks'+document.domain);</script> in Konqueror makes a Javascript alert popup. Impact ====== Whilst in most cases, the JavaScript will be executed in an untrusted context, with the bookmarks IO slave, it will be executed in the context of the referenced hostname. In the example above, this is hhdhdhhdhdhdh.google.com. It should however be noted that KDE mitigates this risk by attempting to ensure that such URLs cannot be embedded directly into Internet hosted content. Patches for kwebkitpart and kde-runtime are available at: - kwebkitpart http://quickgit.kde.org/?p=kwebkitpart.git&a=commit&h=641aa7c75631084260ae89aecbdb625e918c6689 - kde-runtime http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=d68703900edc8416fbcd2550cd336cbbb76decb9 External References: https://www.kde.org/info/security/advisory-20141113-1.txt