Bug 514070 (CVE-2009-1724)

Summary: CVE-2009-1724 kdelibs: possible XSS vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, jreznik, kreilly, ltinkl, mjc, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1724
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-06 15:11:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Vincent Danen 2009-07-27 20:17:13 UTC
CVE-2009-1724 was originally given to a Safari Webkit issue:

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to parent and top objects.

According to two Debian bug reports ([1], [2]) this may affect qt4 and webkit, which means it may also affect kdelibs.  I am unable to find any patches for qt4 or webkit as of yet.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538403 (qt4-x11)
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538402 (webkit)

Comment 5 Jan Lieskovsky 2009-08-06 14:32:09 UTC
Official statement from Red Hat Security Response Team regarding this issue:

Not vulnerable. This issue did not affect the versions of the kdelibs
package, as shipped with Red Hat Enterprise Linux 3, 4, or 5.