Bug 743054 (CVE-2011-3365)

Summary: CVE-2011-3365 kdelibs: input validation failure in KSSL
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, jreznik, kevin, ltinkl, mjc, rdieter, rnovacek, ry, smparrish, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20111003,reported=20111003,source=internet,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhel-4/kdelibs=affected,rhel-5/kdelibs=affected,fedora-all/kdelibs=affected,rhel-6/kdelibs=affected,rhel-6/kdelibs3=affected,cwe=CWE-20[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-08 15:49:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 743056, 743074, 743515, 743516, 746150, 746157, 746158, 746160, 746161, 833920    
Bug Blocks: 743057    
Attachments:
Description Flags
kdelibs patch
none
kio patch none

Description Vincent Danen 2011-10-03 17:45:44 UTC 
An input validation failure was discovered in KSSL (CVE-2011-3365) and Rekonq (CVE-2011-3366) in KDE SC 4.6.0 up to and including KDE SC 4.7.1, however upstream indicates that ealier versions of KDE SC may also be affected.  The upstream advisory [1] details are noted below:


The default rendering type for a QLabel is QLabel::AutoText, which uses
heuristics to determine whether to render the given content as plain text
or rich text.

When displaying a security dialog with a certificate, KSSL does not
properly force its QLabels to use QLabel::PlainText. As a result, if given
a certificate containing rich text in its fields, it will render the rich
text.

Specifically, a certificate containing a common name (CN) that has a table
element will cause the second line of the table to be displayed. This can
allow spoofing of the certificate's common name.

The vulnerability and technical information about the exploit were
provided by Tim Brown of Nth Dimension. We thank them for their 
responsible disclosure and cooperative handling of the matter.

Exploitation may trick the user into beliving a certificate is legitimate
when in fact it is invalid, and simply displayed incorrectly.


This has been corrected via the following git [2] commits:

4.6 branch: 9ca2b26f 90607b28
4.7 branch: bd70d4e5 86622e4d
frameworks: bd70d4e5 86622e4d

(Note: the second commit for each branch above is a fix for kio_http that
fixes a similar issue, but with only very minor security implications.)

And for Rekonq, the following commits correct it in git [3]:

85f454fa
526ce56f
d1711fff

Finally, Qt has also received a patch to warn users about sanitizing their QLabel [4].

[1] http://www.kde.org/info/security/advisory-20111003-1.txt
[2] http://quickgit.kde.org/?p=kdelibs.git&a=summary
[3] http://quickgit.kde.org/?p=rekonq.git&a=summary
[4] https://qt.gitorious.org/qt/qt/commit/31f7ecbdcdbafbac5bbfa693e4d060757244941b
Comment 1 Vincent Danen 2011-10-03 17:47:31 UTC 
Created rekonq tracking bugs for this issue

Affects: fedora-all [bug 743055]
Comment 2 Vincent Danen 2011-10-03 17:47:34 UTC 
Created kdelibs tracking bugs for this issue

Affects: fedora-all [bug 743056]
Comment 3 Vincent Danen 2011-10-03 21:32:23 UTC 
According to bug #743074, it looks as though KDE3 may be affected by this as well.
Comment 4 Huzaifa S. Sidhpurwala 2011-10-04 06:25:31 UTC 
This issue affects the version of kdelibs as shipped with Red Hat Enterprise Linux 6.
Comment 5 Huzaifa S. Sidhpurwala 2011-10-04 06:30:02 UTC 
Created attachment 526185 [details]
kdelibs patch
Comment 6 Huzaifa S. Sidhpurwala 2011-10-04 06:30:42 UTC 
Created attachment 526187 [details]
kio patch
Comment 8 Huzaifa S. Sidhpurwala 2011-10-04 07:29:45 UTC 
Since there are two issues here, affecting different products, this bug is being split into two parts.

This bug will be used for CVE-2011-3365: kssl/kdelibs input validation failure

The rekonq flaw (CVE-2011-3366) is tracked via:
https://bugzilla.redhat.com/show_bug.cgi?id=743194
Comment 12 errata-xmlrpc 2011-10-11 16:39:19 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1364 https://rhn.redhat.com/errata/RHSA-2011-1364.html
Comment 14 errata-xmlrpc 2011-10-19 17:55:02 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1385 https://rhn.redhat.com/errata/RHSA-2011-1385.html
Comment 15 Fedora Update System 2011-10-22 08:24:11 UTC 
kdelibs-4.6.5-6.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2011-10-22 08:26:11 UTC 
kdelibs-4.6.5-6.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Rex Dieter 2012-08-08 15:01:04 UTC 
confirmed this patch is already present and applied to rekonq-0.9.2-1 builds present already in f16 and f17