+++ This bug was initially created as a clone of Bug #743056 +++ This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected Fedora versions. For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please include the bug IDs of the respective parent bugs filed against the "Security Response" product. Please mention CVE ids in the RPM changelog when available. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=743054 Please note: this issue affects multiple supported versions of Fedora. Only one tracking bug has been filed; please only close it when all affected versions are fixed. [bug automatically created by: add-tracking-bugs] --- Additional comment from kevin.org on 2011-10-03 14:43:56 EDT --- Note that there are TWO places in kdelibs which are affected and have been fixed, one in KSSL and one in kio_http. I need to check the kdelibs3 code to see whether it is affected too. I suspect it probably is.
I can tell from a first cursory look that kdelibs3 appears to be vulnerable to both the kdelibs issues too. Affected files: kio/kssl/ksslinfodlg.cc kioslave/http/http.cc (Qt 3's QLabel also defaults to AutoText mode.) In both cases, the code is different from the kdelibs 4 code and the patches will have to be ported/rewritten.
Created attachment 526947 [details] kdelibs-3.5.10-kssl-qlabel.patch This is my proposed patch for the KSSL part of the issue. I have NOT done ANY testing on this so far. And I'm not sure whether we even CAN test this properly in Fedora. There isn't all that much left using kdelibs3 in Fedora. Testing this on RHEL 5's Konqueror is probably more useful.
Created attachment 526948 [details] kdelibs-3.5.10-kio_http-qlabel.patch And this is my backport of the kio_http fix from kdelibs 4. Here too, testing is needed. Qt 3 has no Qt::escape function, so, even though we are linking in all of qt-mt, we still need a custom htmlEscape function. (In kdelibs 4, it's needed because Qt::escape is in QtGui.)
i have reviewed the kevin's patches. both look fine. I will test it today or tomorrow. Kevin, thanks for the backported patches!
Created attachment 527959 [details] CVE-2011-3365 kdelibs: input validation there're some syntax errors in kevin's patch, i fixed it so that it's compiled fine now. The security patches fixed also the issues.
Thanks for fixing my errors (I forgot the d-pointers, that's what happens when I'm too busy to test that the stuff actually compiles… but I got quite close ;-) ).
kdelibs3-3.5.10-31.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/kdelibs3-3.5.10-31.fc14
kdelibs3-3.5.10-31.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/kdelibs3-3.5.10-31.fc15
kdelibs3-3.5.10-31.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/kdelibs3-3.5.10-31.fc16
Package kdelibs3-3.5.10-31.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing kdelibs3-3.5.10-31.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14335 then log in and leave karma (feedback).
kdelibs3-3.5.10-31.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-31.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-31.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.