From the upstream advisory: Overview ======== kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly allowing to some javascript being executed on the context of the referenced hostname. For example going to bookmarks://hhdhdhhdhdhdh.google.com/'><script>alert('bookmarks'+document.domain);</script> in Konqueror makes a Javascript alert popup. Impact ====== Whilst in most cases, the JavaScript will be executed in an untrusted context, with the bookmarks IO slave, it will be executed in the context of the referenced hostname. In the example above, this is hhdhdhhdhdhdh.google.com. It should however be noted that KDE mitigates this risk by attempting to ensure that such URLs cannot be embedded directly into Internet hosted content. Patches for kwebkitpart and kde-runtime are available at: - kwebkitpart http://quickgit.kde.org/?p=kwebkitpart.git&a=commit&h=641aa7c75631084260ae89aecbdb625e918c6689 - kde-runtime http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=d68703900edc8416fbcd2550cd336cbbb76decb9 External References: https://www.kde.org/info/security/advisory-20141113-1.txt
Created kwebkitpart tracking bugs for this issue: Affects: fedora-all [bug 1164607] Affects: epel-7 [bug 1164608]
Created kde-runtime tracking bugs for this issue: Affects: fedora-all [bug 1164609]
kde-runtime-4.14.3-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kwebkitpart-1.3.4-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
kwebkitpart-1.3.4-5.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kde-runtime-4.14.3-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kwebkitpart-1.3.4-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kwebkitpart-1.3.4-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Analysis ======== In the code of kdebase-runtime and kde-runtime for bookmarks kio slave, urls are not handled properly leading to cross-site-scripting (XSS). Problem exists in the following code void BookmarksProtocol::get( const KUrl& url ) { QString path = url.path(); QRegExp regexp("^/(background|icon)/([\\S]+)"); 1. Value of variable 'path' is not sanitized properly here which allows javascript to run in untrusted context leading to cross-site-scripting XSS. Impact of this flaw is very low. echo("<p class=\"message\">" + i18n("Wrong request: %1",path) + "</p>"); } finished(); }