Bug 743074

Summary: CVE-2011-3365 kdelibs3: input validation failure in KSSL [fedora-all]
Product: [Fedora] Fedora Reporter: Kevin Kofler <kevin>
Component: kdelibs3Assignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 15CC: jreznik, kevin, ltinkl, rdieter, rnovacek, ry, smparrish, than, vdanen
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kdelibs3-3.5.10-31.fc16 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 743056 Environment:
Last Closed: 2011-10-24 22:58:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 743054    
Attachments:
Description Flags
kdelibs-3.5.10-kssl-qlabel.patch
none
kdelibs-3.5.10-kio_http-qlabel.patch
none
CVE-2011-3365 kdelibs: input validation none

Description Kevin Kofler 2011-10-03 18:54:16 UTC 
+++ This bug was initially created as a clone of Bug #743056 +++


This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=743054

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.


[bug automatically created by: add-tracking-bugs]

--- Additional comment from kevin.org on 2011-10-03 14:43:56 EDT ---

Note that there are TWO places in kdelibs which are affected and have been fixed, one in KSSL and one in kio_http.

I need to check the kdelibs3 code to see whether it is affected too. I suspect it probably is.
Comment 1 Kevin Kofler 2011-10-03 18:58:26 UTC 
I can tell from a first cursory look that kdelibs3 appears to be vulnerable to both the kdelibs issues too. Affected files:
kio/kssl/ksslinfodlg.cc
kioslave/http/http.cc

(Qt 3's QLabel also defaults to AutoText mode.)

In both cases, the code is different from the kdelibs 4 code and the patches will have to be ported/rewritten.
Comment 2 Kevin Kofler 2011-10-07 18:55:12 UTC 
Created attachment 526947 [details]
kdelibs-3.5.10-kssl-qlabel.patch

This is my proposed patch for the KSSL part of the issue.

I have NOT done ANY testing on this so far. And I'm not sure whether we even CAN test this properly in Fedora. There isn't all that much left using kdelibs3 in Fedora. Testing this on RHEL 5's Konqueror is probably more useful.
Comment 3 Kevin Kofler 2011-10-07 19:14:28 UTC 
Created attachment 526948 [details]
kdelibs-3.5.10-kio_http-qlabel.patch

And this is my backport of the kio_http fix from kdelibs 4.

Here too, testing is needed.

Qt 3 has no Qt::escape function, so, even though we are linking in all of qt-mt, we still need a custom htmlEscape function. (In kdelibs 4, it's needed because Qt::escape is in QtGui.)
Comment 4 Than Ngo 2011-10-12 15:55:36 UTC 
i have reviewed the kevin's patches. both look fine. I will test it today or tomorrow. Kevin, thanks for the backported patches!
Comment 5 Than Ngo 2011-10-13 11:31:00 UTC 
Created attachment 527959 [details]
CVE-2011-3365 kdelibs: input validation

there're some syntax errors in kevin's patch, i fixed it so that it's compiled fine now. The security patches fixed also the issues.
Comment 6 Kevin Kofler 2011-10-13 17:53:33 UTC 
Thanks for fixing my errors (I forgot the d-pointers, that's what happens when I'm too busy to test that the stuff actually compiles… but I got quite close ;-) ).
Comment 7 Fedora Update System 2011-10-14 14:30:55 UTC 
kdelibs3-3.5.10-31.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/kdelibs3-3.5.10-31.fc14
Comment 8 Fedora Update System 2011-10-14 14:55:07 UTC 
kdelibs3-3.5.10-31.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/kdelibs3-3.5.10-31.fc15
Comment 9 Fedora Update System 2011-10-14 14:56:17 UTC 
kdelibs3-3.5.10-31.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/kdelibs3-3.5.10-31.fc16
Comment 10 Fedora Update System 2011-10-15 14:29:36 UTC 
Package kdelibs3-3.5.10-31.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kdelibs3-3.5.10-31.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14335
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2011-10-24 22:58:49 UTC 
kdelibs3-3.5.10-31.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2011-10-24 23:07:23 UTC 
kdelibs3-3.5.10-31.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2011-10-25 03:39:48 UTC 
kdelibs3-3.5.10-31.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.