From the kde-packager mailing list: -------- Hi, this is a notice about a significant bug in the Qt (3.x and 4.x) UTF 8 decoder, that in certain cases can lead to security vulnerabilies. It causes XSS errors at least in Konqueror, though any KDE application that deals with urls or paths from untrusted locations can be affected. The issue is that the UTF8 decoder incorrectly does not reject overlong sequences, which can cause "/../" injection or (in the case of konqueror) a "<script>" tag injection. The patch was embargoed, but it leaked recently into the qt snapshots and was also imported into qt-copy, so you can consider it public now. Originally Trolltech planned to disclose this with an Qt 3.3.9 release, but it seems they changed their mind. I'm also attaching a fix against KJS, which has a similar issue, but we don't know of a way to exploit this one. Please add both patches. The vulnerability was discovered and properly disclosed to KDE Security team by Andreas Nolden from extendedsecurity.de. Thanks, Dirk ---- Reproducible: Always Steps to Reproduce: This affects all versions of Qt in portage. The follow revisions have been added with patches that fix the problem: qt-3.3.8-r2 qt-4.2.3-r1 I am told that Trolltech will make an announcement Tuesday, April 3rd and possibly be releasing qt-3.3.9 that fixes the issue. This *should* correlate to our qt-3.3.8-r2, so we may not need to bump, but I will find out after it's released. Also, a patch was released for kdelibs which fixes an additional problem the found, but there is no known exploit for it. This is fixed in "kde-base/kdelibs-3.5.6-r4"
Lets keep the original one with pathes. *** This bug has been marked as a duplicate of bug 172746 ***