743054 – (CVE-2011-3365) CVE-2011-3365 kdelibs: input validation failure in KSSL

Bug 743054 (CVE-2011-3365) - CVE-2011-3365 kdelibs: input validation failure in KSSL

Summary: CVE-2011-3365 kdelibs: input validation failure in KSSL

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-3365
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	743056 743074 743515 743516 746150 746157 746158 746160 746161 833920
Blocks:	743057
TreeView+	depends on / blocked

Reported:	2011-10-03 17:45 UTC by Vincent Danen
Modified:	2019-09-29 12:48 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-08 15:49:52 UTC
Embargoed:

Attachments	(Terms of Use)
kdelibs patch (774 bytes, patch) 2011-10-04 06:30 UTC, Huzaifa S. Sidhpurwala	no flags	Details \| Diff
kio patch (2.73 KB, patch) 2011-10-04 06:30 UTC, Huzaifa S. Sidhpurwala	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1364	0	normal	SHIPPED_LIVE	Moderate: kdelibs security and enhancement update	2011-10-11 16:39:10 UTC
Red Hat Product Errata	RHSA-2011:1385	0	normal	SHIPPED_LIVE	Moderate: kdelibs and kdelibs3 security update	2011-10-19 17:54:54 UTC

Description Vincent Danen 2011-10-03 17:45:44 UTC

An input validation failure was discovered in KSSL (CVE-2011-3365) and Rekonq (CVE-2011-3366) in KDE SC 4.6.0 up to and including KDE SC 4.7.1, however upstream indicates that ealier versions of KDE SC may also be affected.  The upstream advisory [1] details are noted below:


The default rendering type for a QLabel is QLabel::AutoText, which uses
heuristics to determine whether to render the given content as plain text
or rich text.

When displaying a security dialog with a certificate, KSSL does not
properly force its QLabels to use QLabel::PlainText. As a result, if given
a certificate containing rich text in its fields, it will render the rich
text.

Specifically, a certificate containing a common name (CN) that has a table
element will cause the second line of the table to be displayed. This can
allow spoofing of the certificate's common name.

The vulnerability and technical information about the exploit were
provided by Tim Brown of Nth Dimension. We thank them for their 
responsible disclosure and cooperative handling of the matter.

Exploitation may trick the user into beliving a certificate is legitimate
when in fact it is invalid, and simply displayed incorrectly.


This has been corrected via the following git [2] commits:

4.6 branch: 9ca2b26f 90607b28
4.7 branch: bd70d4e5 86622e4d
frameworks: bd70d4e5 86622e4d

(Note: the second commit for each branch above is a fix for kio_http that
fixes a similar issue, but with only very minor security implications.)

And for Rekonq, the following commits correct it in git [3]:

85f454fa
526ce56f
d1711fff

Finally, Qt has also received a patch to warn users about sanitizing their QLabel [4].

[1] http://www.kde.org/info/security/advisory-20111003-1.txt
[2] http://quickgit.kde.org/?p=kdelibs.git&a=summary
[3] http://quickgit.kde.org/?p=rekonq.git&a=summary
[4] https://qt.gitorious.org/qt/qt/commit/31f7ecbdcdbafbac5bbfa693e4d060757244941b

Comment 1 Vincent Danen 2011-10-03 17:47:31 UTC

Created rekonq tracking bugs for this issue

Affects: fedora-all [bug 743055]

Comment 2 Vincent Danen 2011-10-03 17:47:34 UTC

Created kdelibs tracking bugs for this issue

Affects: fedora-all [bug 743056]

Comment 3 Vincent Danen 2011-10-03 21:32:23 UTC

According to bug #743074, it looks as though KDE3 may be affected by this as well.

Comment 4 Huzaifa S. Sidhpurwala 2011-10-04 06:25:31 UTC

This issue affects the version of kdelibs as shipped with Red Hat Enterprise Linux 6.

Comment 5 Huzaifa S. Sidhpurwala 2011-10-04 06:30:02 UTC

Created attachment 526185 [details]
kdelibs patch

Comment 6 Huzaifa S. Sidhpurwala 2011-10-04 06:30:42 UTC

Created attachment 526187 [details]
kio patch

Comment 8 Huzaifa S. Sidhpurwala 2011-10-04 07:29:45 UTC

Since there are two issues here, affecting different products, this bug is being split into two parts.

This bug will be used for CVE-2011-3365: kssl/kdelibs input validation failure

The rekonq flaw (CVE-2011-3366) is tracked via:
https://bugzilla.redhat.com/show_bug.cgi?id=743194

Comment 12 errata-xmlrpc 2011-10-11 16:39:19 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1364 https://rhn.redhat.com/errata/RHSA-2011-1364.html

Comment 14 errata-xmlrpc 2011-10-19 17:55:02 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1385 https://rhn.redhat.com/errata/RHSA-2011-1385.html

Comment 15 Fedora Update System 2011-10-22 08:24:11 UTC

kdelibs-4.6.5-6.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2011-10-22 08:26:11 UTC

kdelibs-4.6.5-6.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Rex Dieter 2012-08-08 15:01:04 UTC

confirmed this patch is already present and applied to rekonq-0.9.2-1 builds present already in f16 and f17

Note You need to log in before you can comment on or make changes to this bug.