Secunia has reported a window injection vulnerability. Details in URL. Secunia says 3.2.2-6 is vulnerable and another place that it affects Konqueror 3.x. I can not recreate this problem with 3.3.1 and the Secunia test page.
Unconfirmed. Ccing maintainer to confirm / keep track of upstream progress.
kde please test.
KDE Security Advisory: Konqueror Window Injection Vulnerability Original Release Date: 2004-12-13 URL: http://www.kde.org/info/security/advisory-20041213-1.txt 0. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1158 http://secunia.com/advisories/13254/ http://secunia.com/secunia_research/2004-13/advisory http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ http://bugs.kde.org/show_bug.cgi?id=94812 http://www.kde.org/info/security/advisory-20040811-3.txt 1. Systems affected: All versions of KDE up to KDE 3.3.2 inclusive. 2. Overview: The Konqueror webbrowser allows websites to load webpages into a window or tab currently used by another website. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1158 to this issue. This vulnerability is similar to the Konqueror Frame Injection Vulnerability reported on 2004-08-11 but the solution offered as part of that advisory did not cover the window case. 3. Impact: A malicious website could abuse Konquer to load its own content into a window or tab that was opened by a trusted website or it could trick a trusted website into loading content into an existing window or tab. This may be abused to confuse the user about the origin of a certain webpage. As a result the user may unknowingly send confidential information intended for the trusted website to the malicious website. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patches for KDE 3.2.3 are available from ftp://ftp.kde.org/pub/kde/security_patches : 4d61d568e822d781308caa73050930bd post-3.2.3-kdelibs-htmlframes2.patch 7340cfd22ee46a6d65e001179c082b08 post-3.2.3-kdebase-htmlframes2.patch Patches for KDE 3.3.2 are available from ftp://ftp.kde.org/pub/kde/security_patches : d2e513a039ba44becf5728b983b78fc4 post-3.3.2-kdelibs-htmlframes2.patch 31688394bea2dd685371d9d3da9ec2ab post-3.3.2-kdebase-htmlframes2.patch 6. Time line and credits: 19/11/2004 security@kde.org contacted by Secunia 08/12/2004 Advisory & test case publishd by Secunia 11/12/2004 Konqueror patches posted for review 13/12/2004 KDE Advisory released
Created attachment 45833 [details, diff] 3.2.3 kdelibs patch
Created attachment 45834 [details, diff] 3.2.3 kdelibs patch
Created attachment 45835 [details, diff] 3.2.3 kdebase patch
Created attachment 45836 [details, diff] 3.3.2 kdebase patch
Created attachment 45837 [details, diff] 3.3.2 kdelibs patch
Perhaps we could combine this announcement with bug 72804(SMB Password disclosure)?
Combining it is fine with me. Both kdelibs and kdebase from 3.2.3 and 3.3.2 will require a rev-bump - I'll get them in portage in a little bit.
The cumulative fix for this bug (and the SMB bug) are: kde-base/kdelibs-3.2.3-r4 kde-base/kdebase-3.2.3-r3 kde-base/kdelibs-3.3.1-r2 kde-base/kdebase-3.3.1-r2 kde-base/kdelibs-3.3.2-r1 kde-base/kdebase-3.3.2-r1
Advisory is now public. However, I just received this email: Re: [DRAFT] Konqueror Window Injection Vulnerability From: Than Ngo <than@redhat.com> To: Waldo Bastian <bastian@kde.org> CC: kde-packager <kde-packager@kde.org> Date: Today 11:46:31 am Waldo Bastian wrote: >Draft, please review. > >Cheers, >Waldo > >KDE Security Advisory: Konqueror Window Injection Vulnerability >Original Release Date: 2004-12-13 >URL: http://www.kde.org/info/security/advisory-20041213-1.txt > >
Advisory is now public. However, I just received this email: Re: [DRAFT] Konqueror Window Injection Vulnerability From: Than Ngo <than@redhat.com> To: Waldo Bastian <bastian@kde.org> CC: kde-packager <kde-packager@kde.org> Date: Today 11:46:31 am Waldo Bastian wrote: >Draft, please review. > >Cheers, >Waldo > >KDE Security Advisory: Konqueror Window Injection Vulnerability >Original Release Date: 2004-12-13 >URL: http://www.kde.org/info/security/advisory-20041213-1.txt > > > Waldo, it seems the testcase on http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ does not work anymore. I cannot reproduce this problem with this tescase. It would seem CITI has fixed the problem with their page. Bressers (RH security team) has created a new working testcase today. http://people.redhat.com/bressers/spoof_test It seems the problem still happens with the fix! Than
Back to upstream status until this gets fixed.
Caleb any news on this one?
Yep, it was a false alarm. They didn't have their test set up right. It's all ready now.
ppc64 please mark stable asap. Caleb if you change stable markings please note it on the bug.
ppc64 please mark stable asap. We're only waiting for you.
kdemultimedia-3.3.2 doesn't compile at the moment on ppc64. I added a bug dependency for that.
corsair: I think you need to mark stable kdemultimedia-3.3.1 e not 3.3.2 that is unstable everywhere.
corsair 3.3.2 should not be marked stable yet, only 3.3.1 and 3.2.3. Sorry for the confusion.
ok.. my fault, but it would be nice if you could make your stabilazion request more clear the next time. something like "ppc64 please mark _3.3.1_ stable". I'm currently merging kde-3.3.1. give my G5 a few hours and I'll mark it stable. Markus
Markus not your fault, I should have noted that, sorry.
finaly stable on ppc64...
GLSA 200412-16
