Bug 743074 - CVE-2011-3365 kdelibs3: input validation failure in KSSL [fedora-all]
Summary: CVE-2011-3365 kdelibs3: input validation failure in KSSL [fedora-all]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kdelibs3
Version: 15
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: CVE-2011-3365
TreeView+ depends on / blocked
 
Reported: 2011-10-03 18:54 UTC by Kevin Kofler
Modified: 2011-10-25 03:39 UTC (History)
9 users (show)

Fixed In Version: kdelibs3-3.5.10-31.fc16
Doc Type: Release Note
Doc Text:
Clone Of: 743056
Environment:
Last Closed: 2011-10-24 22:58:49 UTC


Attachments (Terms of Use)
kdelibs-3.5.10-kssl-qlabel.patch (2.83 KB, patch)
2011-10-07 18:55 UTC, Kevin Kofler
no flags Details | Diff
kdelibs-3.5.10-kio_http-qlabel.patch (1.66 KB, patch)
2011-10-07 19:14 UTC, Kevin Kofler
no flags Details | Diff
CVE-2011-3365 kdelibs: input validation (4.31 KB, patch)
2011-10-13 11:31 UTC, Ngo Than
no flags Details | Diff

Description Kevin Kofler 2011-10-03 18:54:16 UTC
+++ This bug was initially created as a clone of Bug #743056 +++


This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=743054

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please only close it when all
affected versions are fixed.


[bug automatically created by: add-tracking-bugs]

--- Additional comment from kevin@tigcc.ticalc.org on 2011-10-03 14:43:56 EDT ---

Note that there are TWO places in kdelibs which are affected and have been fixed, one in KSSL and one in kio_http.

I need to check the kdelibs3 code to see whether it is affected too. I suspect it probably is.

Comment 1 Kevin Kofler 2011-10-03 18:58:26 UTC
I can tell from a first cursory look that kdelibs3 appears to be vulnerable to both the kdelibs issues too. Affected files:
kio/kssl/ksslinfodlg.cc
kioslave/http/http.cc

(Qt 3's QLabel also defaults to AutoText mode.)

In both cases, the code is different from the kdelibs 4 code and the patches will have to be ported/rewritten.

Comment 2 Kevin Kofler 2011-10-07 18:55:12 UTC
Created attachment 526947 [details]
kdelibs-3.5.10-kssl-qlabel.patch

This is my proposed patch for the KSSL part of the issue.

I have NOT done ANY testing on this so far. And I'm not sure whether we even CAN test this properly in Fedora. There isn't all that much left using kdelibs3 in Fedora. Testing this on RHEL 5's Konqueror is probably more useful.

Comment 3 Kevin Kofler 2011-10-07 19:14:28 UTC
Created attachment 526948 [details]
kdelibs-3.5.10-kio_http-qlabel.patch

And this is my backport of the kio_http fix from kdelibs 4.

Here too, testing is needed.

Qt 3 has no Qt::escape function, so, even though we are linking in all of qt-mt, we still need a custom htmlEscape function. (In kdelibs 4, it's needed because Qt::escape is in QtGui.)

Comment 4 Ngo Than 2011-10-12 15:55:36 UTC
i have reviewed the kevin's patches. both look fine. I will test it today or tomorrow. Kevin, thanks for the backported patches!

Comment 5 Ngo Than 2011-10-13 11:31:00 UTC
Created attachment 527959 [details]
CVE-2011-3365 kdelibs: input validation

there're some syntax errors in kevin's patch, i fixed it so that it's compiled fine now. The security patches fixed also the issues.

Comment 6 Kevin Kofler 2011-10-13 17:53:33 UTC
Thanks for fixing my errors (I forgot the d-pointers, that's what happens when I'm too busy to test that the stuff actually compiles… but I got quite close ;-) ).

Comment 7 Fedora Update System 2011-10-14 14:30:55 UTC
kdelibs3-3.5.10-31.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/kdelibs3-3.5.10-31.fc14

Comment 8 Fedora Update System 2011-10-14 14:55:07 UTC
kdelibs3-3.5.10-31.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/kdelibs3-3.5.10-31.fc15

Comment 9 Fedora Update System 2011-10-14 14:56:17 UTC
kdelibs3-3.5.10-31.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/kdelibs3-3.5.10-31.fc16

Comment 10 Fedora Update System 2011-10-15 14:29:36 UTC
Package kdelibs3-3.5.10-31.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kdelibs3-3.5.10-31.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14335
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2011-10-24 22:58:49 UTC
kdelibs3-3.5.10-31.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2011-10-24 23:07:23 UTC
kdelibs3-3.5.10-31.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2011-10-25 03:39:48 UTC
kdelibs3-3.5.10-31.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.