See below e-mail from the non-public KDE packagers mailing list. Embargoed until 3/10/2011, which is why I am restricting this bug to security. - Hello packagers, This issue is embargoed until October 3rd. On October 3rd we will release a security advisory (20111003-1) regarding QLable spoofing. Tim Brown of Nth Dimension (timb@nth-dimension.org.uk) notified us that various dialog boxes are able to be spoofed because QLabel's default behavior, rich text, is not properly changed to plain text in important locations. The CVEs are the following: CVE-2011-3365 KDE KSSL CVE-2011-3366 KDE Rekonq CVE-2011-3367 Arora As you can see, this affects multiple products, and not just KDE products. At this time we have CVEs for KSSL, Rekonq, and Arora. I don't have commit IDs for the last two, but I suggest checking with the project maintainers or looking at their commit logs for the fixes (keeping in mind the embargo, so private communication please). The patch for KSSL for 4.6 is 9ca2b26fc67c3f921e1943c1725fca623e395854 and the patch for 4.7 is bd70d4e589711fda9ab07738c46e37eee8376214. It is quite possible that Kleopatra will receive a CVE as well; I'll update you on the status of that as I can. Finally, we've been in touch with Qt maintainers. They will be posting a blog article reminding developers to be careful with QLabel sanitizing, and put a warning in the API documentation as well. Thanks, Jeff
The security advisory is out, see URL. No need to keep this bug confidential anymore. Arches, please fast-stabilize: amd, x86: kde-base/kdelibs-4.6.5-r2 ppc: kde-base/kdelibs-4.6.3-r3 rekonq stablereq is following soon
(In reply to comment #1) > The security advisory is out, see URL. No need to keep this bug confidential > anymore. > > Arches, please fast-stabilize: > amd, x86: kde-base/kdelibs-4.6.5-r2 > ppc: kde-base/kdelibs-4.6.3-r3 > In addition, please fast-stabilize: amd, x86: www-client/rekonq-0.7.92 (patches dont apply to older versions anymore and this release contains all the fixes)
Thanks, Andreas. Embargo lifted.
@kde rekonq-0.7.92 pulles in kde-4.7.1 packages. What we do?
(In reply to comment #4) > @kde > > rekonq-0.7.92 pulles in kde-4.7.1 packages. What we do? Meh. Overlooked that. Please wait with rekonq. I'll have a closer look at the patches, maybe they can be ported to 0.7.0 somehow.
ppc stable
amd64 done
x86 done, not closing, please CC us again when you know about reconq
Reverted to [ebuild] for rekonq.
*** Bug 385667 has been marked as a duplicate of this bug. ***
note that also net-im/psi is affected. Reference: http://seclists.org/fulldisclosure/2011/Oct/352 Upstream appears a bit "dead", adding anyway, maintainers.
> not closing, please CC us again when you know about reconq About rekonq: The patches do not apply at all to the stable (and last kde-4.6) version; seems like these code parts have been completely rewritten with new files etc. We're going to decide at the KDE team meeting next friday (14 Oct, 20:00 UTC) on the stabilization of KDE 4.7.1. I suggest waiting until then.
*** Bug 387273 has been marked as a duplicate of this bug. ***
net-im/psi is fixed in 0.14-r3. Arch teams, please, stabilize it.
(In reply to comment #14) > net-im/psi is fixed in 0.14-r3. Arch teams, please, stabilize it. Please start doing this the way everyone else does: Arch teams, please test and mark stable: =net-im/psi-0.14-r3 Target KEYWORDS="amd64 arm hppa ppc ppc64 x86"
> =net-im/psi-0.14-r3 > Target KEYWORDS="amd64 arm hppa ppc ppc64 x86" amd64 ok
I've commited =net-im/psi-0.14-r4 to fix bug 387655. Since I don't want to stabilize this package due to this minor change, arch teams, please, go with =net-im/psi-0.14-r4 Target KEYWORDS="amd64 arm hppa ppc ppc64 x86" > (In reply to comment #14) > Please start doing this the way everyone else does: Provide me with tools that do this consistently and I will. Now I do it manually and to avoid typos and save some time I better delegate this job on arch teams. Sorry.
r4 also ok.
amd64: =net-im/psi-0.14-r4 pass
+ 20 Oct 2011; Tony Vroon <chainsaw@gentoo.org> psi-0.14-r4.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & + Elijah "Armageddon" El Lazkani in security bug #384227.
ppc/ppc64 stable
x86 stable
Depend on KDE-4.7.2 stabilization because of rekonq
Stable for HPPA.
as per: https://secunia.com/advisories/46269/ arora is also affected
(In reply to comment #25) > as per: https://secunia.com/advisories/46269/ > arora is also affected CC'ing qt.
<www-client/rekonq-0.7.92 removed from tree
CVE-2011-3367 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367): Arora, possibly 0.11 and other versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text. CVE-2011-3366 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366): Rekonq 0.7.0 and earlier does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text. CVE-2011-3365 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365): The KDE SSL Wrapper (KSSL) API in KDE SC 4.6.0 through 4.7.1, and possibly earlier versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text.
<kde-base/kdelibs-{4.6.5-r2,4.6.3-r3} removed from tree.
Since arora is dead upstream, I advise to remove it from the tree. (People who want a non-KDE Qt webkit browser should use qupzilla, for which I plan to provide an ebuild soon.)
www-client/arora masked for removal
Arora upstream is not entirely dead. The original lead developer retired, and mariuz stepped up to continue development: https://github.com/mariuz/arora
(In reply to comment #32) > Arora upstream is not entirely dead. Last commit 7 months ago, no releases since 0.11. It doesn't look terribly alive to me. Does the git head solve this security problem? Is there anyone willing to maintain it? Personally I think we should drop it in favor of Qupzilla (now in qt overlay).
(In reply to comment #33) > (In reply to comment #32) > > Arora upstream is not entirely dead. > > Last commit 7 months ago, no releases since 0.11. It doesn't look terribly > alive to me. Does the git head solve this security problem? Is there anyone > willing to maintain it? > > Personally I think we should drop it in favor of Qupzilla (now in qt overlay). +1
(In reply to comment #34) > (In reply to comment #33) > > (In reply to comment #32) > > > Arora upstream is not entirely dead. > > > > Last commit 7 months ago, no releases since 0.11. It doesn't look terribly > > alive to me. Does the git head solve this security problem? Is there anyone > > willing to maintain it? > > > > Personally I think we should drop it in favor of Qupzilla (now in qt overlay). > > +1 goes well, mee too for +1
@security: rekonq is fixed, and arora is not anymore in the main tree.
Yep, www-client/arora has just been treecleaned. I also pruned <net-im/psi-0.14-r4 as part of bug 311481 (ACK'ed by Nikoli). Removing qt@g.o from CC, nothing else to do for us here.
Thanks, everyone. Added to existing GLSA request.
All vulnerable versions gone from the tree. Thanks everyone.
This issue was resolved and addressed in GLSA 201406-34 at http://security.gentoo.org/glsa/glsa-201406-34.xml by GLSA coordinator Mikle Kolyada (Zlogene).