Quoting oCERT-2009-015 verbatim: http://www.ocert.org/advisories/ocert-2009-015.html KDE, an open source desktop environment, suffers from several bugs that pose a security risk. The oCERT team was contacted by Portcullis Security requesting help in handling a series of issues reported to the KDE project back in July 2007. Because of an extended period of non-disclosure Portcullis decided to resubmit the issues to KDE and contacted oCERT asking for assistance in disclosure coordination. Ark input sanitization errors: The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. IO Slaves input sanitization errors: KDE protocol handlers perform insufficient input validation, an attacker can craft malicious URI that would trigger JavaScript execution. Additionally the 'help://' protocol handler suffer from directory traversal. It should be noted that the scope of this issue is limited as the malicious URIs cannot be embedded in Internet hosted content. KMail input sanitization errors: The KDE mail client, KMail, performs insufficient validation which leads to specially crafted email attachments, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. The exploitation of these vulnerabilities is unlikely according to Portcullis and KDE but the execution of active content is nonetheless unexpected and might pose a threat. All the reported issues have been patched. Affected version: KDE <= 4.3.2 Fixed version: KDE >= 4.3.3 Credit: Tim Brown, Portcullis Computer Security Ltd.
Oh, I forgot references: References: http://www.davidfaure.fr/2009/xmlhttprequest_3.x.diff http://websvn.kde.org/?view=revision&revision=1035539 http://websvn.kde.org/?view=revision&revision=1030579 http://websvn.kde.org/?view=revision&revision=938003
Sorry, this advisory is rather confusing, not clearly identifying individual problems and not all suggested seem to be addressed by the referenced upstream patches. There are some discussion about this: http://thread.gmane.org/gmane.comp.security.oss.general/2268/focus=2270 and reportedly Portcullis Computer Security may be publishing own advisories with further details soon. So far, there seem to be two types of fixes that got applied upstream: - sanity checks for help: URLs, not viewed as security upstream - XMLHTTPRequest checks to prevent access to non-http and non-webdav URLs Ideas are welcome.
Bug for tracking XMLHttpRequest issue - bug #532428
Related Portcullis security advisories were published: http://www.portcullis-security.com/330.php (ark default preview) http://www.portcullis-security.com/332.php (kmail attachment spoofing) http://www.portcullis-security.com/329.php (IO slaves input validation Another one for "KWallet Stored Credential Theft", wontfixed upstream: http://www.portcullis-security.com/331.php
To split oCERT advisory to smaller pieces: - XMLHTTPRequest (XHR) policy is the most important issue here. It's tracked via separate bug #532428. Upstream has added some mitigation, but it does not address all issues. Remaining issues are now tracked via upstream bug: https://bugs.kde.org/show_bug.cgi?id=235468 - Ark "input sanitization" issue is really a "html preview is used for files with unknown mime time" and "JS in html files is executed with privileges of local files, possibly taking advantage of the XHR issue mentioned above". Former issue is not really an issue, as user can open html preview for .html file, in which case html rendering is actually expected, but it is still affected by the latter issue. The latter issue, or its XHR part, can be addressed via a proper fix to the upstream bug mentioned above. In addition, I've opened upstream bug with request to disable JS in preview completely: https://bugs.kde.org/show_bug.cgi?id=235546 - IO slaves input sanitization has very limited impact (warning is displayed when trying to access special URLs as help:, man: or info: form non-local URLs) and again lead to issues related to privileges of JS in local files. They're not really worth backporting to already released products. - KMail "input sanitization" is similar to Ark issue. User needs to confirm viewing in konqueror. Impact depends on privileges of local JS and the issue can be triggered by files with no obfuscated extension / type.
If those fixes will be in the upstream 4.4.3 bugfix release, they will be pushed out to all supported Fedora releases anyway as soon as 4.4.3 is released, which is quite soon.
(In reply to comment #11) > I've opened upstream bug with request to disable JS in preview completely: > https://bugs.kde.org/show_bug.cgi?id=235546 Ark upstream bug is resolved now. The patch should disable JS, Java, plugins and all remote references.
I'm going to wontfix this. It's fixed upstream and in RHEL6+. This issue isn't worth the effort needed to both sort out, then fix the minor issues.