Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1164293 - (CVE-2014-8600) CVE-2014-8600 kwebkitpart, kde-runtime: Insufficient Input Validation By IO Slaves and Webkit Part
CVE-2014-8600 kwebkitpart, kde-runtime: Insufficient Input Validation By IO S...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20141113,reported=2...
: Security
Depends On: 1164607 1164608 1164609
Blocks: 1164295
  Show dependency treegraph
 
Reported: 2014-11-14 10:11 EST by Martin Prpič
Modified: 2015-03-17 05:34 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-17 05:34:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Martin Prpič 2014-11-14 10:11:39 EST 
From the upstream advisory:

Overview
========

kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly allowing to some javascript being executed on the context of the referenced hostname. For example going to bookmarks://hhdhdhhdhdhdh.google.com/'><script>alert('bookmarks'+document.domain);</script> in Konqueror makes a Javascript alert popup.

Impact
======

Whilst in most cases, the JavaScript will be executed in an untrusted context, with the bookmarks IO slave, it will be executed in the context of the referenced hostname. In the example above, this is hhdhdhhdhdhdh.google.com. It should however be noted that KDE mitigates this risk by attempting to ensure that such URLs cannot be embedded directly into Internet hosted content.

Patches for kwebkitpart and kde-runtime are available at:
- kwebkitpart
    http://quickgit.kde.org/?p=kwebkitpart.git&a=commit&h=641aa7c75631084260ae89aecbdb625e918c6689
- kde-runtime
    http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=d68703900edc8416fbcd2550cd336cbbb76decb9

External References:

https://www.kde.org/info/security/advisory-20141113-1.txt
Comment 1 Murray McAllister 2014-11-16 20:03:26 EST 
Created kwebkitpart tracking bugs for this issue:

Affects: fedora-all [bug 1164607]
Affects: epel-7 [bug 1164608]
Comment 2 Murray McAllister 2014-11-16 20:03:30 EST 
Created kde-runtime tracking bugs for this issue:

Affects: fedora-all [bug 1164609]
Comment 3 Fedora Update System 2014-11-25 10:30:31 EST 
kde-runtime-4.14.3-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-12-03 01:37:52 EST 
kwebkitpart-1.3.4-5.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-12-03 12:15:06 EST 
kwebkitpart-1.3.4-5.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-12-03 12:16:36 EST 
kde-runtime-4.14.3-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-12-05 21:31:40 EST 
kwebkitpart-1.3.4-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-12-06 23:33:15 EST 
kwebkitpart-1.3.4-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Siddharth Sharma 2015-03-17 05:31:23 EDT 
Analysis
========

In the code of kdebase-runtime and kde-runtime for bookmarks kio slave, urls are not handled properly leading to cross-site-scripting (XSS). Problem exists in the following code

void BookmarksProtocol::get( const KUrl& url )
{
  QString path = url.path();
  QRegExp regexp("^/(background|icon)/([\\S]+)");

1. Value of variable 'path' is not sanitized properly here which allows javascript to run in untrusted context leading to cross-site-scripting XSS. Impact of this flaw is very low.

    echo("<p class=\"message\">" + i18n("Wrong request: %1",path) + "</p>");

  }
  finished();
}
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.