Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 384227 (CVE-2011-3365) - <kde-base/kdelibs-{4.6.5-r2,4.6.3-r3}, <www-client/rekonq-0.7.92, <net-im/psi-0.14-r4, www-client/arora : Input Validation Failure (CVE-2011-{3365,3366,3367})
Summary: <kde-base/kdelibs-{4.6.5-r2,4.6.3-r3}, <www-client/rekonq-0.7.92, <net-im/psi...
Status: RESOLVED FIXED
Alias: CVE-2011-3365
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.kde.org/info/security/advi...
Whiteboard: A3 [glsa]
Keywords:
: 385667 387273 (view as bug list)
Depends on: 396359
Blocks:
  Show dependency tree
 
Reported: 2011-09-23 18:47 UTC by Andreas K. Hüttel
Modified: 2014-06-29 20:49 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas K. Hüttel gentoo-dev 2011-09-23 18:47:30 UTC
See below e-mail from the non-public KDE packagers mailing list. 
Embargoed until 3/10/2011, which is why I am restricting this bug to security.

-

Hello packagers,

This issue is embargoed until October 3rd.

On October 3rd we will release a security advisory (20111003-1)
regarding QLable spoofing. Tim Brown of Nth Dimension
(timb@nth-dimension.org.uk) notified us that various dialog boxes are
able to be spoofed because QLabel's default behavior, rich text, is not
properly changed to plain text in important locations.

The CVEs are the following:

CVE-2011-3365 KDE KSSL
CVE-2011-3366 KDE Rekonq
CVE-2011-3367 Arora

As you can see, this affects multiple products, and not just KDE
products. At this time we have CVEs for KSSL, Rekonq, and Arora. I don't
have commit IDs for the last two, but I suggest checking with the
project maintainers or looking at their commit logs for the fixes
(keeping in mind the embargo, so private communication please).

The patch for KSSL for 4.6 is 9ca2b26fc67c3f921e1943c1725fca623e395854
and the patch for 4.7 is bd70d4e589711fda9ab07738c46e37eee8376214.

It is quite possible that Kleopatra will receive a CVE as well; I'll
update you on the status of that as I can.

Finally, we've been in touch with Qt maintainers. They will be posting a
blog article reminding developers to be careful with QLabel sanitizing,
and put a warning in the API documentation as well.

Thanks,
Jeff
Comment 1 Andreas K. Hüttel gentoo-dev 2011-10-03 13:41:17 UTC
The security advisory is out, see URL. No need to keep this bug confidential anymore. 

Arches, please fast-stabilize:
amd, x86: kde-base/kdelibs-4.6.5-r2
ppc: kde-base/kdelibs-4.6.3-r3

rekonq stablereq is following soon
Comment 2 Andreas K. Hüttel gentoo-dev 2011-10-03 13:54:09 UTC
(In reply to comment #1)
> The security advisory is out, see URL. No need to keep this bug confidential
> anymore. 
> 
> Arches, please fast-stabilize:
> amd, x86: kde-base/kdelibs-4.6.5-r2
> ppc: kde-base/kdelibs-4.6.3-r3
> 

In addition, please fast-stabilize:
amd, x86: www-client/rekonq-0.7.92

(patches dont apply to older versions anymore and this release contains all the fixes)
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-03 15:11:32 UTC
Thanks, Andreas. Embargo lifted.
Comment 4 Agostino Sarubbo gentoo-dev 2011-10-03 15:43:20 UTC
@kde

rekonq-0.7.92 pulles in kde-4.7.1 packages. What we do?
Comment 5 Andreas K. Hüttel gentoo-dev 2011-10-03 16:00:54 UTC
(In reply to comment #4)
> @kde
> 
> rekonq-0.7.92 pulles in kde-4.7.1 packages. What we do?

Meh. Overlooked that. Please wait with rekonq. I'll have a closer look at the patches, maybe they can be ported to 0.7.0 somehow.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-03 18:19:26 UTC
ppc stable
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-10-03 19:28:40 UTC
amd64 done
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-10-04 13:45:34 UTC
x86 done, not closing, please CC us again when you know about reconq
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-10-04 14:43:59 UTC
Reverted to [ebuild] for rekonq.
Comment 10 Agostino Sarubbo gentoo-dev 2011-10-04 22:20:40 UTC
*** Bug 385667 has been marked as a duplicate of this bug. ***
Comment 11 Agostino Sarubbo gentoo-dev 2011-10-07 15:11:33 UTC
note that also net-im/psi is affected.
Reference: http://seclists.org/fulldisclosure/2011/Oct/352

Upstream appears a bit "dead", adding anyway, maintainers.
Comment 12 Andreas K. Hüttel gentoo-dev 2011-10-07 19:50:20 UTC
> not closing, please CC us again when you know about reconq

About rekonq: 

The patches do not apply at all to the stable (and last kde-4.6) version; seems like these code parts have been completely rewritten with new files etc. 
We're going to decide at the KDE team meeting next friday (14 Oct, 20:00 UTC) on the stabilization of KDE 4.7.1. I suggest waiting until then.
Comment 13 Agostino Sarubbo gentoo-dev 2011-10-16 13:19:17 UTC
*** Bug 387273 has been marked as a duplicate of this bug. ***
Comment 14 Peter Volkov (RETIRED) gentoo-dev 2011-10-19 09:15:58 UTC
net-im/psi is fixed in 0.14-r3. Arch teams, please, stabilize it.
Comment 15 Jeroen Roovers gentoo-dev 2011-10-19 09:22:48 UTC
(In reply to comment #14)
> net-im/psi is fixed in 0.14-r3. Arch teams, please, stabilize it.

Please start doing this the way everyone else does:

Arch teams, please test and mark stable:
=net-im/psi-0.14-r3
Target KEYWORDS="amd64 arm hppa ppc ppc64 x86"
Comment 16 Agostino Sarubbo gentoo-dev 2011-10-19 10:57:39 UTC
> =net-im/psi-0.14-r3
> Target KEYWORDS="amd64 arm hppa ppc ppc64 x86"

amd64 ok
Comment 17 Peter Volkov (RETIRED) gentoo-dev 2011-10-19 11:41:15 UTC
I've commited =net-im/psi-0.14-r4 to fix bug 387655. Since I don't want to stabilize this package due to this minor change, arch teams, please, go with

=net-im/psi-0.14-r4
Target KEYWORDS="amd64 arm hppa ppc ppc64 x86"


> (In reply to comment #14)
> Please start doing this the way everyone else does:

Provide me with tools that do this consistently and I will. Now I do it manually and to avoid typos and save some time I better delegate this job on arch teams. Sorry.
Comment 18 Agostino Sarubbo gentoo-dev 2011-10-19 13:49:28 UTC
r4 also ok.
Comment 19 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-10-20 01:32:26 UTC
amd64:
=net-im/psi-0.14-r4 pass
Comment 20 Tony Vroon gentoo-dev 2011-10-20 13:20:33 UTC
+  20 Oct 2011; Tony Vroon <chainsaw@gentoo.org> psi-0.14-r4.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #384227.
Comment 21 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-22 16:00:48 UTC
ppc/ppc64 stable
Comment 22 Markus Meier gentoo-dev 2011-10-23 11:34:02 UTC
x86 stable
Comment 23 Andreas K. Hüttel gentoo-dev 2011-10-28 19:43:22 UTC
Depend on KDE-4.7.2 stabilization because of rekonq
Comment 24 Jeroen Roovers gentoo-dev 2011-11-11 16:12:13 UTC
Stable for HPPA.
Comment 25 Agostino Sarubbo gentoo-dev 2011-11-20 22:33:57 UTC
as per: https://secunia.com/advisories/46269/
arora is also affected
Comment 26 Davide Pesavento gentoo-dev 2011-11-21 00:32:23 UTC
(In reply to comment #25)
> as per: https://secunia.com/advisories/46269/
> arora is also affected

CC'ing qt.
Comment 27 Johannes Huber gentoo-dev 2011-12-12 23:19:03 UTC
<www-client/rekonq-0.7.92 removed from tree
Comment 28 GLSAMaker/CVETool Bot gentoo-dev 2011-12-13 00:23:23 UTC
CVE-2011-3367 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367):
  Arora, possibly 0.11 and other versions, does not use a certain font when
  rendering certificate fields in a security dialog, which allows remote
  attackers to spoof the common name (CN) of a certificate via rich text.

CVE-2011-3366 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366):
  Rekonq 0.7.0 and earlier does not use a certain font when rendering
  certificate fields in a security dialog, which allows remote attackers to
  spoof the common name (CN) of a certificate via rich text.

CVE-2011-3365 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365):
  The KDE SSL Wrapper (KSSL) API in KDE SC 4.6.0 through 4.7.1, and possibly
  earlier versions, does not use a certain font when rendering certificate
  fields in a security dialog, which allows remote attackers to spoof the
  common name (CN) of a certificate via rich text.
Comment 29 Johannes Huber gentoo-dev 2012-02-21 12:55:26 UTC
<kde-base/kdelibs-{4.6.5-r2,4.6.3-r3} removed from tree.
Comment 30 Ben de Groot 2012-02-21 15:14:14 UTC
Since arora is dead upstream, I advise to remove it from the tree. 

(People who want a non-KDE Qt webkit browser should use qupzilla, for which I plan to provide an ebuild soon.)
Comment 31 Theo Chatzimichos (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2012-02-21 15:46:10 UTC
www-client/arora masked for removal
Comment 32 Luke-Jr 2012-02-23 20:54:45 UTC
Arora upstream is not entirely dead. The original lead developer retired, and mariuz stepped up to continue development: https://github.com/mariuz/arora
Comment 33 Ben de Groot 2012-02-24 05:24:53 UTC
(In reply to comment #32)
> Arora upstream is not entirely dead.

Last commit 7 months ago, no releases since 0.11. It doesn't look terribly alive to me. Does the git head solve this security problem? Is there anyone willing to maintain it?

Personally I think we should drop it in favor of Qupzilla (now in qt overlay).
Comment 34 Davide Pesavento gentoo-dev 2012-02-24 10:14:58 UTC
(In reply to comment #33)
> (In reply to comment #32)
> > Arora upstream is not entirely dead.
> 
> Last commit 7 months ago, no releases since 0.11. It doesn't look terribly
> alive to me. Does the git head solve this security problem? Is there anyone
> willing to maintain it?
> 
> Personally I think we should drop it in favor of Qupzilla (now in qt overlay).

+1
Comment 35 Agostino Sarubbo gentoo-dev 2012-02-24 10:17:17 UTC
(In reply to comment #34)
> (In reply to comment #33)
> > (In reply to comment #32)
> > > Arora upstream is not entirely dead.
> > 
> > Last commit 7 months ago, no releases since 0.11. It doesn't look terribly
> > alive to me. Does the git head solve this security problem? Is there anyone
> > willing to maintain it?
> > 
> > Personally I think we should drop it in favor of Qupzilla (now in qt overlay).
> 
> +1

goes well, mee too for +1
Comment 36 Agostino Sarubbo gentoo-dev 2012-03-28 17:11:03 UTC
@security:

rekonq is fixed, and arora is not anymore in the main tree.
Comment 37 Davide Pesavento gentoo-dev 2012-03-28 17:14:15 UTC
Yep, www-client/arora has just been treecleaned.
I also pruned <net-im/psi-0.14-r4 as part of bug 311481 (ACK'ed by Nikoli).

Removing qt@g.o from CC, nothing else to do for us here.
Comment 38 Tim Sammut (RETIRED) gentoo-dev 2012-03-28 23:30:12 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 39 Andreas K. Hüttel gentoo-dev 2012-03-29 04:16:07 UTC
All vulnerable versions gone from the tree. Thanks everyone.
Comment 40 GLSAMaker/CVETool Bot gentoo-dev 2014-06-29 20:49:59 UTC
This issue was resolved and addressed in
 GLSA 201406-34 at http://security.gentoo.org/glsa/glsa-201406-34.xml
by GLSA coordinator Mikle Kolyada (Zlogene).