Bug 1164293 (CVE-2014-8600) - CVE-2014-8600 kwebkitpart, kde-runtime: Insufficient Input Validation By IO Slaves and Webkit Part
Summary: CVE-2014-8600 kwebkitpart, kde-runtime: Insufficient Input Validation By IO S...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-8600
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1164607 1164608 1164609
Blocks: 1164295
TreeView+ depends on / blocked
 
Reported: 2014-11-14 15:11 UTC by Martin Prpič
Modified: 2021-02-17 06:00 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-17 09:34:27 UTC


Attachments (Terms of Use)

Description Martin Prpič 2014-11-14 15:11:39 UTC
From the upstream advisory:

Overview
========

kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly allowing to some javascript being executed on the context of the referenced hostname. For example going to bookmarks://hhdhdhhdhdhdh.google.com/'><script>alert('bookmarks'+document.domain);</script> in Konqueror makes a Javascript alert popup.

Impact
======

Whilst in most cases, the JavaScript will be executed in an untrusted context, with the bookmarks IO slave, it will be executed in the context of the referenced hostname. In the example above, this is hhdhdhhdhdhdh.google.com. It should however be noted that KDE mitigates this risk by attempting to ensure that such URLs cannot be embedded directly into Internet hosted content.

Patches for kwebkitpart and kde-runtime are available at:
- kwebkitpart
    http://quickgit.kde.org/?p=kwebkitpart.git&a=commit&h=641aa7c75631084260ae89aecbdb625e918c6689
- kde-runtime
    http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=d68703900edc8416fbcd2550cd336cbbb76decb9

External References:

https://www.kde.org/info/security/advisory-20141113-1.txt

Comment 1 Murray McAllister 2014-11-17 01:03:26 UTC
Created kwebkitpart tracking bugs for this issue:

Affects: fedora-all [bug 1164607]
Affects: epel-7 [bug 1164608]

Comment 2 Murray McAllister 2014-11-17 01:03:30 UTC
Created kde-runtime tracking bugs for this issue:

Affects: fedora-all [bug 1164609]

Comment 3 Fedora Update System 2014-11-25 15:30:31 UTC
kde-runtime-4.14.3-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Fedora Update System 2014-12-03 06:37:52 UTC
kwebkitpart-1.3.4-5.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2014-12-03 17:15:06 UTC
kwebkitpart-1.3.4-5.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-12-03 17:16:36 UTC
kde-runtime-4.14.3-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-12-06 02:31:40 UTC
kwebkitpart-1.3.4-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-12-07 04:33:15 UTC
kwebkitpart-1.3.4-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Siddharth Sharma 2015-03-17 09:31:23 UTC
Analysis
========

In the code of kdebase-runtime and kde-runtime for bookmarks kio slave, urls are not handled properly leading to cross-site-scripting (XSS). Problem exists in the following code

void BookmarksProtocol::get( const KUrl& url )
{
  QString path = url.path();
  QRegExp regexp("^/(background|icon)/([\\S]+)");

1. Value of variable 'path' is not sanitized properly here which allows javascript to run in untrusted context leading to cross-site-scripting XSS. Impact of this flaw is very low.

    echo("<p class=\"message\">" + i18n("Wrong request: %1",path) + "</p>");

  }
  finished();
}


Note You need to log in before you can comment on or make changes to this bug.