Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 172746 - {kde-base/kdelibs-3.5.5-r10|x11-libs/qt} UTF 8 issues (CVE-2007-0242)
Summary: {kde-base/kdelibs-3.5.5-r10|x11-libs/qt} UTF 8 issues (CVE-2007-0242)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [noglsa] jaervosz
Keywords:
: 172784 173303 173304 (view as bug list)
Depends on: 172527
Blocks:
  Show dependency tree
 
Reported: 2007-03-30 06:22 UTC by Sune Kloppenborg Jeppesen
Modified: 2020-03-28 22:35 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
kdelibs-kjs.diff (kdelibs-kjs.diff,1.31 KB, patch)
2007-03-30 06:23 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
utf8-bug-qt3.diff (utf8-bug-qt3.diff,2.61 KB, patch)
2007-03-30 06:23 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff
utf8-bug-qt4.diff (utf8-bug-qt4.diff,5.05 KB, patch)
2007-03-30 06:23 UTC, Sune Kloppenborg Jeppesen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-03-30 06:22:22 UTC
Reported by Dirk Mueller from KDE:

 a significant bug in the Qt (3.x and 4.x) UTF 8 
decoder, that in certain cases can lead to security vulnerabilies. It causes 
XSS errors at least in Konqueror, though any KDE application that deals with 
urls or paths from untrusted locations can be affected. 

The issue is that the UTF8 decoder incorrectly does not reject overlong 
sequences, which can cause "/../" injection or (in the case of konqueror) 
a "<script>" tag injection.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-30 06:23:43 UTC
Created attachment 114905 [details, diff]
kdelibs-kjs.diff
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-30 06:23:50 UTC
Created attachment 114906 [details, diff]
utf8-bug-qt3.diff
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-30 06:23:53 UTC
Created attachment 114907 [details, diff]
utf8-bug-qt4.diff
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-30 06:24:53 UTC
Not sure which packages are affected. KDE please advise.
Comment 5 Caleb Tennis (RETIRED) gentoo-dev 2007-03-30 13:00:22 UTC
Sorry, just found this bug.  See 172784.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-30 14:32:47 UTC
*** Bug 172784 has been marked as a duplicate of this bug. ***
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2007-03-30 14:45:08 UTC
I have been informed this is assigned as CVE-2007-0242
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-04 06:41:30 UTC
*** Bug 173304 has been marked as a duplicate of this bug. ***
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-04 06:41:33 UTC
*** Bug 173303 has been marked as a duplicate of this bug. ***
Comment 10 Caleb Tennis (RETIRED) gentoo-dev 2007-04-04 11:36:57 UTC
The x11-libs/qt side should be addressed by:

qt-3.3.8-r2
qt-4.2.3-r1

I think both are candidates for stability anyway, so asking arches to go stable shouldn't be an issue.

------

The kde-base/kdelibs side should be addressed by:
kde-base/kdelibs-3.5.6-r4 and kde-base/kdelibs-3.5.5-r10, the latter of which looks like it's going stable now.  So, I think that's the version (3.5.5-r10) we should address, since 3.5.6 isn't stabilized yet as a whole.
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-11 10:22:56 UTC
Thx Caleb.

kde-base/kdelibs-3.5.5-r10 is all stable on bug #172527.

Arches please test and mark stable. Target keywords are:

qt-3.3.8-r2.ebuild:KEYWORDS="alpha amd64 hppa ia64 mips ppc ppc64 sparc x86 ~x86-fbsd"
qt-4.2.3-r1.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 12 Marcus D. Hanwell (RETIRED) gentoo-dev 2007-04-11 10:51:54 UTC
Both packages stable on amd64.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-04-11 13:40:21 UTC
x11-libs/qt-3.3.8-r2
x11-libs/qt-4.2.3-r1
~dev-db/qt-unixODBC-3.3.8

stable on ia64 + x86
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-04-11 14:21:44 UTC
ppc64 stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-11 22:35:56 UTC
ppc stable
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-11 23:45:29 UTC
qt4 fails miserably on sparc with a simple and quite informative:

qtdemo: xcb_xlib.c:50qtdemo: xcb_xlib.c:50: xcb_xlib_unlock: Assertion `c->xlib.lock' failed.
Aborted

Ideas anyone?
Comment 17 Caleb Tennis (RETIRED) gentoo-dev 2007-04-11 23:48:38 UTC
Look at the output of configure and see if it's detecting your system on sparc correctly.  We have a patch in the ebuild that should help it, but it's from the 4.1 series so maybe the patch needs to be updated.
Comment 18 Jeroen Roovers gentoo-dev 2007-04-12 00:51:18 UTC
(In reply to comment #16)
> qt4 fails miserably on sparc with a simple and quite informative:
> 
> qtdemo: xcb_xlib.c:50qtdemo: xcb_xlib.c:50: xcb_xlib_unlock: Assertion
> `c->xlib.lock' failed.
> Aborted

Exact same error on hppa for media-sound/qmpdclient-1.0.7:

qmpdclient: xcb_xlib.c:50: xcb_xlib_unlock: Assertion `c->xlib.lock' failed.
Aborted

> Ideas anyone?
> 

Not yet.
Comment 19 Jeroen Roovers gentoo-dev 2007-04-12 01:34:29 UTC
Build log [3.8 MB]:

http://www.xs4all.nl/~rooversj/gentoo/bugs/x11-libs:qt-4.2.3-r1:20070411-204654.log

Thu Apr 12 03:31:35 CEST 2007
Portage 2.1.2.3 (default-linux/hppa/2006.1, gcc-4.1.1, glibc-2.3.6-r5, 2.6.19.1-pa0-JeR parisc)
=================================================================
System uname: 2.6.19.1-pa0-JeR parisc PA8700 (PCX-W2)
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 11 Apr 2007 15:50:01 +0000
distcc 2.18.3 hppa2.0-unknown-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [disabled]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17.50.0.12
sys-devel/gcc-config: 1.3.15-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r5
ACCEPT_KEYWORDS="hppa"
AUTOCLEAN="yes"
CBUILD="hppa2.0-unknown-linux-gnu"
CFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -ggdb -Wall"
CHOST="hppa2.0-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind /var/www/localhost/htdocs/wordpress/wp-config.php"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php4/ext-active/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -mschedule=8000 -march=2.0 -ggdb -Wall"
DISTDIR="/keeps/gentoo/distfiles"
FEATURES="autoaddcvs buildpkg cvs distlocks fixpackages notitles sandbox sfperms splitdebug strict"
GENTOO_MIRRORS="http://ftp.easynet.nl/mirror/gentoo/ http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.rhnet.is/pub/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo "
LC_ALL="en_US.UTF-8"
LINGUAS="en nl he"
MAKEOPTS="-j2"
PKGDIR="/keeps/gentoo/packages/elmer"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/keeps/gentoo/portage"
PORTDIR_OVERLAY="/keeps/gentoo/local"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="7zip X Xaw3d a52 aac aalib accessibility alsa amr ao aoss apache2 ares arts asf audiofile avahi bash-completion berkdb bidi bitmap-fonts bittorrent bl bzip2 c++ cairo caps catalogs cdb cdparanoia cdr chardet cjk cli cpudetection cpufreq cracklib crypt cups curl custom-cflags dbus dcraw dga directfb doc dts dv dvd dvdread dxr3 edl elf enca encode esd exif expat fam fame fastbuild fastcgi fbcon ffmpeg firefox flac foomaticdb fortran ftp gd gdbm ggi gif gimpprint glitz glut gmp gnome gnutls gphoto2 gpm gs gtk gtk2 gtkhtml hal hppa icecast iconv idn imagemagick imlib immqt-bc inquisitio ipv6 isdnlog javascript jpeg jpeg2k kde kdeenablefinal kerberos lcms ldap libcaca libnotify libsamplerate libwww logrotate lua lzo mad matroska memcache mhash midi mikmod mmap mng modplug motif mozbranding mp3 mudflap musepack mysql nas ncurses netpbm nfs nls offensive ogg openexr opengl oss pam pch pcre pdf perl php pic plugins png portaudio postgres povray pppd pulseaudio python qt3 readline recode reflection rpc rrdtool rtc ruby samba sasl scanner scim sdl session sid slang slp sndfile snmp speex spell spl sqlite ssl startup-notification suhosin svg sysfs tcl tcpd tetex tga theora threads thunar-vfs tidy tiff timidity tk truetype truetype-fonts twolame type1-fonts udev unicode unzip usb userlocales utempter utf v4l v4l2 vanim vcd vidix vim-syntax vorbis wavpack webdav wlan wma wmf xanim xattr xcb xchattext xcomposite xface xml xml2 xorg xrandr xscreensaver xv xvid xvmc zeroconf zip zlib" ALSA_CARDS="ad1889 usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl he" USERLAND="GNU" VIDEO_CARDS="stifb fbdev matrox"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 20 Caleb Tennis (RETIRED) gentoo-dev 2007-04-12 11:49:42 UTC
To understand, the build doesn't fail, but running the qtdemo causes that error?
Comment 21 Caleb Tennis (RETIRED) gentoo-dev 2007-04-12 11:51:38 UTC
Re comments 18 and 19:

> Build type:    linux-g++
> Architecture:  parisc

Note there is a patch "qt4-parisc-linux.diff" that is NOT being applied in 4.2.3 but was in earlier versions.  I don't know if this may need to be reactivated or not.
Comment 22 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-12 11:52:23 UTC
Exactly, also designer fails if it means anything.
IIRC without the patch things were built wrong for sparc in such a way that it would SIGBUS (or killed by some other signal rather than just aborting).
Comment 23 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-12 12:03:03 UTC
it was strange to me that alpha doesn't fail and I was investigating a bit.

Probably, the error is well documented by debian in:
http://lists.debian.org/debian-devel-announce/2006/11/msg00010.html

Error and patch could be found in:
https://bugs.freedesktop.org/show_bug.cgi?id=8581

And alpha (also probably) doesn't fail because we don't have: 
x11-proto/xcb-proto-1.0, x11-libs/libxcb-1.0, x11-libs/libX11-1.1.1-r1 marked as stable.


Excuse me if I'm completely wrong with my assumptions
Comment 24 Jeroen Roovers gentoo-dev 2007-04-12 14:00:40 UTC
(In reply to comment #21)
> Note there is a patch "qt4-parisc-linux.diff" that is NOT being applied in
> 4.2.3 but was in earlier versions.

That is because it WON'T apply to >=qt-4.2. It kills poor epatch. :)
Comment 25 Jeroen Roovers gentoo-dev 2007-04-12 22:19:42 UTC
(In reply to comment #23)
> it was strange to me that alpha doesn't fail and I was investigating a bit.
> 
> Probably, the error is well documented by debian in:
> http://lists.debian.org/debian-devel-announce/2006/11/msg00010.html
> 
> Error and patch could be found in:
> https://bugs.freedesktop.org/show_bug.cgi?id=8581
> 
> And alpha (also probably) doesn't fail because we don't have: 
> x11-proto/xcb-proto-1.0, x11-libs/libxcb-1.0, x11-libs/libX11-1.1.1-r1 marked
> as stable.
> 
> 
> Excuse me if I'm completely wrong with my assumptions

You were completely right. Rebuilding libX11 with USE=-xcb did the job.

Both Qts are now stable for HPPA.
Comment 26 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-13 09:53:58 UTC
(In reply to comment #25)
> You were completely right. Rebuilding libX11 with USE=-xcb did the job.
> 

Sounds like a bug. 

@X11: please see the problem described in comments #16 and #18 and read #23 to check the root of the problem. Possibly related with the bug #156367?

Thanks.
Comment 27 Caleb Tennis (RETIRED) gentoo-dev 2007-04-13 12:34:49 UTC
gustavoz, can you post the beginning of your build log.  I'd like to make sure it's catching that your system is a sparc system.
Comment 28 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-13 13:12:42 UTC
caleb: no need for that, if i build libX11 with USE="xcb" on x86 it fails miserably the same way. I'm rebuilding libX11 with no xcb on sparc to check it out but it seems Yoswink and Jer pinpointed the issue nicely and i think it'll work.
We either mask xcb globally or fix qt4. I'd rather choose the second option since it's qt's fault.
Oh and qt-3.3.8-r2 sparc stable since it's not affected by this.
Comment 29 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-13 13:34:57 UTC
Verified, qt4 against libX11 -xcb on sparc works just fine.
Comment 30 Donnie Berkholz (RETIRED) gentoo-dev 2007-04-13 17:39:57 UTC
Anyone having XCB locking errors, please ensure all your X libraries are current. In particular, these ones:

$ grep -i -e xcb -e lock /usr/portage/x11-libs/libX*/ChangeLog -l
/usr/portage/x11-libs/libX11/ChangeLog
/usr/portage/x11-libs/libXcomposite/ChangeLog
/usr/portage/x11-libs/libXdamage/ChangeLog
/usr/portage/x11-libs/libXfixes/ChangeLog
/usr/portage/x11-libs/libXi/ChangeLog
/usr/portage/x11-libs/libXrandr/ChangeLog
Comment 31 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-16 09:12:33 UTC
(In reply to comment #30)
> Anyone having XCB locking errors, please ensure all your X libraries are
> current. In particular, these ones:

@Donnie: if current == stable then yes, they are. But I've seen in ChangeLogs that many of these fixes are marked as ~arch, so most of the users don't hit them and maybe we'll see the bugs growing up in bugzilla.

Any plan about how to deal with the bug?

Thanks.
Comment 32 Donnie Berkholz (RETIRED) gentoo-dev 2007-04-16 19:23:58 UTC
There's a few bugs around relating to this same thing. My response is, let's just stable the stuff. I haven't yet filed a bug for that, though. Any objections or support?
Comment 33 Joshua Baergen (RETIRED) gentoo-dev 2007-04-16 22:46:02 UTC
(In reply to comment #32)
> There's a few bugs around relating to this same thing. My response is, let's
> just stable the stuff. I haven't yet filed a bug for that, though. Any
> objections or support?
> 

I've been meaning to file such a thing when I have time to figure out all the packages that need to go stable.
Comment 34 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-17 10:54:56 UTC
(In reply to comment #33)
> (In reply to comment #32)
> > There's a few bugs around relating to this same thing. My response is, let's
> > just stable the stuff. I haven't yet filed a bug for that, though. Any
> > objections or support?
> > 
> 
> I've been meaning to file such a thing when I have time to figure out all the
> packages that need to go stable.
> 

Well, I'm with you as far as I can't see any better solution. Please, if we are going to do a fast-stable-keywording, package versions with only fixes for this bug and no new features or code added would be perfect. Anyway, If you think the new versions are ready for stable, I trust you :)
Comment 35 Donnie Berkholz (RETIRED) gentoo-dev 2007-04-17 19:28:24 UTC
I just filed bug #174959 to stable some XCB-fixed libraries. It's not a "fast" stable keywording by any means. Only one of those libraries has been in the tree for just 1 month, the others for many more.
Comment 36 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-17 22:09:50 UTC
Bug #174959 stabling fixed the xcb issues, qt-4.2.3-r1 sparc stable.
Comment 37 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-18 17:25:26 UTC
(In reply to comment #35)
> I just filed bug #174959 to stable some XCB-fixed libraries. It's not a "fast"
> stable keywording by any means. Only one of those libraries has been in the
> tree for just 1 month, the others for many more.

@Donnie and Joshua: thanks guys, you rock.

alpha done.

Comment 38 Sune Kloppenborg Jeppesen gentoo-dev 2007-04-18 19:54:43 UTC
This one is ready for GLSA decision. I tend to vote NO.
Comment 39 François Bissey 2007-04-22 08:58:50 UTC
Hi,

Since qt-3.3.8-r2 went stable with the utf8 patch some people, including me, have
some issue with kmail that we describe in bug #174678 .
Removing the utf8 patch restore the functionality, is there a forgotten corner case in the patch or has the patch revealed a bug in kmail?
Comment 40 Caleb Tennis (RETIRED) gentoo-dev 2007-04-22 11:21:23 UTC
I haven't seen any information about kmail issues.  Can you describe the problem and I'll ask the packagers?
Comment 41 Caleb Tennis (RETIRED) gentoo-dev 2007-04-22 11:22:48 UTC
(note: let's do it in a new bug, to keep from CCing everyone here)
Comment 42 François Bissey 2007-04-22 19:42:10 UTC
(In reply to comment #40)
> I haven't seen any information about kmail issues.  Can you describe the
> problem and I'll ask the packagers?
> 
As I have already mentioned in my original comment it is all in bug #174678
I just thought I'd bring it to your attention since we identified the utf8
patch as the source of the problem.
Comment 43 Matthias Geerdsen (RETIRED) gentoo-dev 2007-04-23 15:14:54 UTC
also tending to vote no

that makes one full no vote so far
Comment 44 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-23 19:55:22 UTC
not a "trivial" XSS (overly long sequences needed) -> i vote no, and closing. Feel free to reopen if you disagree.