Bug 743054 (CVE-2011-3365) - CVE-2011-3365 kdelibs: input validation failure in KSSL
Summary: CVE-2011-3365 kdelibs: input validation failure in KSSL
Status: CLOSED ERRATA
Alias: CVE-2011-3365
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20111003,repor...
Keywords: Security
Depends On: 743056 743074 743515 743516 746150 746157 746158 746160 746161 833920
Blocks: 743057
TreeView+ depends on / blocked
 
Reported: 2011-10-03 17:45 UTC by Vincent Danen
Modified: 2019-06-08 18:55 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-08-08 15:49:52 UTC


Attachments (Terms of Use)
kdelibs patch (774 bytes, patch)
2011-10-04 06:30 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff
kio patch (2.73 KB, patch)
2011-10-04 06:30 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1364 normal SHIPPED_LIVE Moderate: kdelibs security and enhancement update 2011-10-11 16:39:10 UTC
Red Hat Product Errata RHSA-2011:1385 normal SHIPPED_LIVE Moderate: kdelibs and kdelibs3 security update 2011-10-19 17:54:54 UTC

Description Vincent Danen 2011-10-03 17:45:44 UTC
An input validation failure was discovered in KSSL (CVE-2011-3365) and Rekonq (CVE-2011-3366) in KDE SC 4.6.0 up to and including KDE SC 4.7.1, however upstream indicates that ealier versions of KDE SC may also be affected.  The upstream advisory [1] details are noted below:


The default rendering type for a QLabel is QLabel::AutoText, which uses
heuristics to determine whether to render the given content as plain text
or rich text.

When displaying a security dialog with a certificate, KSSL does not
properly force its QLabels to use QLabel::PlainText. As a result, if given
a certificate containing rich text in its fields, it will render the rich
text.

Specifically, a certificate containing a common name (CN) that has a table
element will cause the second line of the table to be displayed. This can
allow spoofing of the certificate's common name.

The vulnerability and technical information about the exploit were
provided by Tim Brown of Nth Dimension. We thank them for their 
responsible disclosure and cooperative handling of the matter.

Exploitation may trick the user into beliving a certificate is legitimate
when in fact it is invalid, and simply displayed incorrectly.


This has been corrected via the following git [2] commits:

4.6 branch: 9ca2b26f 90607b28
4.7 branch: bd70d4e5 86622e4d
frameworks: bd70d4e5 86622e4d

(Note: the second commit for each branch above is a fix for kio_http that
fixes a similar issue, but with only very minor security implications.)

And for Rekonq, the following commits correct it in git [3]:

85f454fa
526ce56f
d1711fff

Finally, Qt has also received a patch to warn users about sanitizing their QLabel [4].

[1] http://www.kde.org/info/security/advisory-20111003-1.txt
[2] http://quickgit.kde.org/?p=kdelibs.git&a=summary
[3] http://quickgit.kde.org/?p=rekonq.git&a=summary
[4] https://qt.gitorious.org/qt/qt/commit/31f7ecbdcdbafbac5bbfa693e4d060757244941b

Comment 1 Vincent Danen 2011-10-03 17:47:31 UTC
Created rekonq tracking bugs for this issue

Affects: fedora-all [bug 743055]

Comment 2 Vincent Danen 2011-10-03 17:47:34 UTC
Created kdelibs tracking bugs for this issue

Affects: fedora-all [bug 743056]

Comment 3 Vincent Danen 2011-10-03 21:32:23 UTC
According to bug #743074, it looks as though KDE3 may be affected by this as well.

Comment 4 Huzaifa S. Sidhpurwala 2011-10-04 06:25:31 UTC
This issue affects the version of kdelibs as shipped with Red Hat Enterprise Linux 6.

Comment 5 Huzaifa S. Sidhpurwala 2011-10-04 06:30:02 UTC
Created attachment 526185 [details]
kdelibs patch

Comment 6 Huzaifa S. Sidhpurwala 2011-10-04 06:30:42 UTC
Created attachment 526187 [details]
kio patch

Comment 8 Huzaifa S. Sidhpurwala 2011-10-04 07:29:45 UTC
Since there are two issues here, affecting different products, this bug is being split into two parts.

This bug will be used for CVE-2011-3365: kssl/kdelibs input validation failure

The rekonq flaw (CVE-2011-3366) is tracked via:
https://bugzilla.redhat.com/show_bug.cgi?id=743194

Comment 12 errata-xmlrpc 2011-10-11 16:39:19 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1364 https://rhn.redhat.com/errata/RHSA-2011-1364.html

Comment 14 errata-xmlrpc 2011-10-19 17:55:02 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1385 https://rhn.redhat.com/errata/RHSA-2011-1385.html

Comment 15 Fedora Update System 2011-10-22 08:24:11 UTC
kdelibs-4.6.5-6.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2011-10-22 08:26:11 UTC
kdelibs-4.6.5-6.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Rex Dieter 2012-08-08 15:01:04 UTC
confirmed this patch is already present and applied to rekonq-0.9.2-1 builds present already in f16 and f17


Note You need to log in before you can comment on or make changes to this bug.