Bug 532021 (oCERT-2009-015)
Summary: | KDE: multiple issues (oCERT-2009-015) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bressers, jreznik, kevin, ltinkl, mjc, rdieter, than |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-08-02 15:20:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 532428 | ||
Bug Blocks: |
Description
Tomas Hoger
2009-10-30 09:51:16 UTC
Oh, I forgot references: References: http://www.davidfaure.fr/2009/xmlhttprequest_3.x.diff http://websvn.kde.org/?view=revision&revision=1035539 http://websvn.kde.org/?view=revision&revision=1030579 http://websvn.kde.org/?view=revision&revision=938003 Sorry, this advisory is rather confusing, not clearly identifying individual problems and not all suggested seem to be addressed by the referenced upstream patches. There are some discussion about this: http://thread.gmane.org/gmane.comp.security.oss.general/2268/focus=2270 and reportedly Portcullis Computer Security may be publishing own advisories with further details soon. So far, there seem to be two types of fixes that got applied upstream: - sanity checks for help: URLs, not viewed as security upstream - XMLHTTPRequest checks to prevent access to non-http and non-webdav URLs Ideas are welcome. Bug for tracking XMLHttpRequest issue - bug #532428 Related Portcullis security advisories were published: http://www.portcullis-security.com/330.php (ark default preview) http://www.portcullis-security.com/332.php (kmail attachment spoofing) http://www.portcullis-security.com/329.php (IO slaves input validation Another one for "KWallet Stored Credential Theft", wontfixed upstream: http://www.portcullis-security.com/331.php To split oCERT advisory to smaller pieces: - XMLHTTPRequest (XHR) policy is the most important issue here. It's tracked via separate bug #532428. Upstream has added some mitigation, but it does not address all issues. Remaining issues are now tracked via upstream bug: https://bugs.kde.org/show_bug.cgi?id=235468 - Ark "input sanitization" issue is really a "html preview is used for files with unknown mime time" and "JS in html files is executed with privileges of local files, possibly taking advantage of the XHR issue mentioned above". Former issue is not really an issue, as user can open html preview for .html file, in which case html rendering is actually expected, but it is still affected by the latter issue. The latter issue, or its XHR part, can be addressed via a proper fix to the upstream bug mentioned above. In addition, I've opened upstream bug with request to disable JS in preview completely: https://bugs.kde.org/show_bug.cgi?id=235546 - IO slaves input sanitization has very limited impact (warning is displayed when trying to access special URLs as help:, man: or info: form non-local URLs) and again lead to issues related to privileges of JS in local files. They're not really worth backporting to already released products. - KMail "input sanitization" is similar to Ark issue. User needs to confirm viewing in konqueror. Impact depends on privileges of local JS and the issue can be triggered by files with no obfuscated extension / type. If those fixes will be in the upstream 4.4.3 bugfix release, they will be pushed out to all supported Fedora releases anyway as soon as 4.4.3 is released, which is quite soon. (In reply to comment #11) > I've opened upstream bug with request to disable JS in preview completely: > https://bugs.kde.org/show_bug.cgi?id=235546 Ark upstream bug is resolved now. The patch should disable JS, Java, plugins and all remote references. I'm going to wontfix this. It's fixed upstream and in RHEL6+. This issue isn't worth the effort needed to both sort out, then fix the minor issues. |