Bug 532021 (oCERT-2009-015)

Summary: KDE: multiple issues (oCERT-2009-015)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, jreznik, kevin, ltinkl, mjc, rdieter, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-02 15:20:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 532428    
Bug Blocks:    

Description Tomas Hoger 2009-10-30 09:51:16 UTC 
Quoting oCERT-2009-015 verbatim:

  http://www.ocert.org/advisories/ocert-2009-015.html

  KDE, an open source desktop environment, suffers from several bugs that
  pose a security risk.

  The oCERT team was contacted by Portcullis Security requesting help in
  handling a series of issues reported to the KDE project back in July 2007.
  Because of an extended period of non-disclosure Portcullis decided to
  resubmit the issues to KDE and contacted oCERT asking for assistance in
  disclosure coordination.

  Ark input sanitization errors:
  The KDE archiving tool, Ark, performs insufficient validation which leads
  to specially crafted archive files, using unknown MIME types, to be
  rendered using a KHTML instance, this can trigger uncontrolled
  XMLHTTPRequests to remote sites.

  IO Slaves input sanitization errors:
  KDE protocol handlers perform insufficient input validation, an attacker
  can craft malicious URI that would trigger JavaScript execution.
  Additionally the 'help://' protocol handler suffer from directory
  traversal. It should be noted that the scope of this issue is limited
  as the malicious URIs cannot be embedded in Internet hosted content.

  KMail input sanitization errors:
  The KDE mail client, KMail, performs insufficient validation which leads
  to specially crafted email attachments, using unknown MIME types, to be
  rendered using a KHTML instance, this can trigger uncontrolled
  XMLHTTPRequests to remote sites.

  The exploitation of these vulnerabilities is unlikely according to
  Portcullis and KDE but the execution of active content is nonetheless
  unexpected and might pose a threat.

  All the reported issues have been patched.

  Affected version: KDE <= 4.3.2
  Fixed version: KDE >= 4.3.3

  Credit: Tim Brown, Portcullis Computer Security Ltd.
Comment 1 Tomas Hoger 2009-10-30 09:52:13 UTC 
Oh, I forgot references:

  References:
  http://www.davidfaure.fr/2009/xmlhttprequest_3.x.diff
  http://websvn.kde.org/?view=revision&revision=1035539
  http://websvn.kde.org/?view=revision&revision=1030579
  http://websvn.kde.org/?view=revision&revision=938003
Comment 2 Tomas Hoger 2009-10-30 09:56:58 UTC 
Sorry, this advisory is rather confusing, not clearly identifying individual problems and not all suggested seem to be addressed by the referenced upstream patches.  There are some discussion about this:

  http://thread.gmane.org/gmane.comp.security.oss.general/2268/focus=2270

and reportedly Portcullis Computer Security may be publishing own advisories with further details soon.

So far, there seem to be two types of fixes that got applied upstream:
- sanity checks for help: URLs, not viewed as security upstream
- XMLHTTPRequest checks to prevent access to non-http and non-webdav URLs

Ideas are welcome.
Comment 3 Tomas Hoger 2009-11-02 10:44:34 UTC 
Bug for tracking XMLHttpRequest issue - bug #532428
Comment 5 Tomas Hoger 2009-11-04 16:40:34 UTC 
Related Portcullis security advisories were published:

http://www.portcullis-security.com/330.php (ark default preview)
http://www.portcullis-security.com/332.php (kmail attachment spoofing)
http://www.portcullis-security.com/329.php (IO slaves input validation

Another one for "KWallet Stored Credential Theft", wontfixed upstream:

http://www.portcullis-security.com/331.php
Comment 11 Tomas Hoger 2010-04-27 13:55:43 UTC 
To split oCERT advisory to smaller pieces:

- XMLHTTPRequest (XHR) policy is the most important issue here.  It's tracked via separate bug #532428.  Upstream has added some mitigation, but it does not address all issues.  Remaining issues are now tracked via upstream bug:
  https://bugs.kde.org/show_bug.cgi?id=235468

- Ark "input sanitization" issue is really a "html preview is used for files with unknown mime time" and "JS in html files is executed with privileges of local files, possibly taking advantage of the XHR issue mentioned above".  Former issue is not really an issue, as user can open html preview for .html file, in which case html rendering is actually expected, but it is still affected by the latter issue.  The latter issue, or its XHR part, can be addressed via a proper fix to the upstream bug mentioned above.  In addition, I've opened upstream bug with request to disable JS in preview completely:
  https://bugs.kde.org/show_bug.cgi?id=235546

- IO slaves input sanitization has very limited impact (warning is displayed when trying to access special URLs as help:, man: or info: form non-local URLs) and again lead to issues related to privileges of JS in local files.  They're not really worth backporting to already released products.

- KMail "input sanitization" is similar to Ark issue.  User needs to confirm viewing in konqueror.  Impact depends on privileges of local JS and the issue can be triggered by files with no obfuscated extension / type.
Comment 12 Kevin Kofler 2010-04-27 14:41:15 UTC 
If those fixes will be in the upstream 4.4.3 bugfix release, they will be pushed out to all supported Fedora releases anyway as soon as 4.4.3 is released, which is quite soon.
Comment 13 Tomas Hoger 2010-04-28 08:45:09 UTC 
(In reply to comment #11)

> I've opened upstream bug with request to disable JS in preview completely:
>   https://bugs.kde.org/show_bug.cgi?id=235546

Ark upstream bug is resolved now.  The patch should disable JS, Java, plugins and all remote references.
Comment 15 Josh Bressers 2011-08-02 15:20:18 UTC 
I'm going to wontfix this. It's fixed upstream and in RHEL6+. This issue isn't worth the effort needed to both sort out, then fix the minor issues.