Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73869 - kde-base/kdebase Konqueror Window Injection Vulnerability
Summary: kde-base/kdebase Konqueror Window Injection Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/13254/
Whiteboard: A4 [glsa] jaervosz
Keywords:
Depends on: 74666
Blocks:
  Show dependency tree
 
Reported: 2004-12-08 23:57 UTC by Sune Kloppenborg Jeppesen
Modified: 2004-12-19 08:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
3.2.3 kdelibs patch (post-3.2.3-kdebase-htmlframes2.patch,1.64 KB, patch)
2004-12-12 10:28 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.2.3 kdelibs patch (post-3.2.3-kdelibs-htmlframes2.patch,1.18 KB, patch)
2004-12-12 10:29 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.2.3 kdebase patch (post-3.2.3-kdebase-htmlframes2.patch,1.64 KB, patch)
2004-12-12 10:29 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.3.2 kdebase patch (post-3.3.2-kdebase-htmlframes2.patch,1.57 KB, patch)
2004-12-12 10:29 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.3.2 kdelibs patch (post-3.3.2-kdelibs-htmlframes2.patch,1.20 KB, patch)
2004-12-12 10:29 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2004-12-08 23:57:13 UTC
Secunia has reported a window injection vulnerability. Details in URL.

Secunia says 3.2.2-6 is vulnerable and another place that it affects Konqueror 3.x.

I can not recreate this problem with 3.3.1 and the Secunia test page.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-12-09 01:52:30 UTC
Unconfirmed. Ccing maintainer to confirm / keep track of upstream progress.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-09 23:04:57 UTC
kde please test.
Comment 3 Caleb Tennis (RETIRED) gentoo-dev 2004-12-12 10:26:52 UTC
KDE Security Advisory: Konqueror Window Injection Vulnerability
Original Release Date: 2004-12-13
URL: http://www.kde.org/info/security/advisory-20041213-1.txt

0. References

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1158
        http://secunia.com/advisories/13254/
        http://secunia.com/secunia_research/2004-13/advisory
        
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
        http://bugs.kde.org/show_bug.cgi?id=94812
        http://www.kde.org/info/security/advisory-20040811-3.txt

1. Systems affected:

        All versions of KDE up to KDE 3.3.2 inclusive. 


2. Overview:

        The Konqueror webbrowser allows websites to load webpages into
        a window or tab currently used by another website.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-1158 to this issue.

        This vulnerability is similar to the Konqueror Frame Injection
        Vulnerability reported on 2004-08-11 but the solution offered
        as part of that advisory did not cover the window case.

3. Impact:

        A malicious website could abuse Konquer to load its own content
        into a window or tab that was opened by a trusted website or
        it could trick a trusted website into loading content into an
        existing window or tab. This may be abused to confuse the user
        about the origin of a certain webpage. As a result the user may
        unknowingly send confidential information intended for the trusted
        website to the malicious website.
                

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patches for KDE 3.2.3 are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  4d61d568e822d781308caa73050930bd  post-3.2.3-kdelibs-htmlframes2.patch
  7340cfd22ee46a6d65e001179c082b08  post-3.2.3-kdebase-htmlframes2.patch

        Patches for KDE 3.3.2 are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  d2e513a039ba44becf5728b983b78fc4  post-3.3.2-kdelibs-htmlframes2.patch
  31688394bea2dd685371d9d3da9ec2ab  post-3.3.2-kdebase-htmlframes2.patch


6. Time line and credits:


        19/11/2004 security@kde.org contacted by Secunia
	08/12/2004 Advisory & test case publishd by Secunia
        11/12/2004 Konqueror patches posted for review
	13/12/2004 KDE Advisory released


Comment 4 Caleb Tennis (RETIRED) gentoo-dev 2004-12-12 10:28:21 UTC
Created attachment 45833 [details, diff]
3.2.3 kdelibs patch
Comment 5 Caleb Tennis (RETIRED) gentoo-dev 2004-12-12 10:29:01 UTC
Created attachment 45834 [details, diff]
3.2.3 kdelibs patch
Comment 6 Caleb Tennis (RETIRED) gentoo-dev 2004-12-12 10:29:15 UTC
Created attachment 45835 [details, diff]
3.2.3 kdebase patch
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2004-12-12 10:29:29 UTC
Created attachment 45836 [details, diff]
3.3.2 kdebase patch
Comment 8 Caleb Tennis (RETIRED) gentoo-dev 2004-12-12 10:29:44 UTC
Created attachment 45837 [details, diff]
3.3.2 kdelibs patch
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-12 23:27:37 UTC
Perhaps we could combine this announcement with bug 72804(SMB Password disclosure)?
Comment 10 Caleb Tennis (RETIRED) gentoo-dev 2004-12-13 04:45:20 UTC
Combining it is fine with me.  Both kdelibs and kdebase from 3.2.3 and 3.3.2 will require a rev-bump - I'll get them in portage in a little bit.
Comment 11 Caleb Tennis (RETIRED) gentoo-dev 2004-12-13 07:25:14 UTC
The cumulative fix for this bug (and the SMB bug) are:

kde-base/kdelibs-3.2.3-r4
kde-base/kdebase-3.2.3-r3

kde-base/kdelibs-3.3.1-r2
kde-base/kdebase-3.3.1-r2

kde-base/kdelibs-3.3.2-r1
kde-base/kdebase-3.3.2-r1
Comment 12 Caleb Tennis (RETIRED) gentoo-dev 2004-12-13 08:50:02 UTC
Advisory is now public.

However, I just received this email:

Re: [DRAFT] Konqueror Window Injection Vulnerability


From: 
Than Ngo <than@redhat.com>
To: 
Waldo Bastian <bastian@kde.org>
CC: 
kde-packager <kde-packager@kde.org>

Date: 
Today 11:46:31 am


Waldo Bastian wrote:

>Draft, please review.
>
>Cheers,
>Waldo
>
>KDE Security Advisory: Konqueror Window Injection Vulnerability
>Original Release Date: 2004-12-13
>URL: http://www.kde.org/info/security/advisory-20041213-1.txt
>
> 
Comment 13 Caleb Tennis (RETIRED) gentoo-dev 2004-12-13 08:50:02 UTC
Advisory is now public.

However, I just received this email:

Re: [DRAFT] Konqueror Window Injection Vulnerability


From: 
Than Ngo <than@redhat.com>
To: 
Waldo Bastian <bastian@kde.org>
CC: 
kde-packager <kde-packager@kde.org>

Date: 
Today 11:46:31 am


Waldo Bastian wrote:

>Draft, please review.
>
>Cheers,
>Waldo
>
>KDE Security Advisory: Konqueror Window Injection Vulnerability
>Original Release Date: 2004-12-13
>URL: http://www.kde.org/info/security/advisory-20041213-1.txt
>
>  
>
Waldo,

it seems the testcase on 
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
does not work anymore. I cannot reproduce this problem with this 
tescase. It would seem CITI has fixed
the problem with their page.

Bressers (RH security team) has created a new working testcase today.

  http://people.redhat.com/bressers/spoof_test

It seems the problem still happens with the fix!

Than
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-13 11:29:28 UTC
Back to upstream status until this gets fixed.
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-14 03:49:46 UTC
Caleb any news on this one?
Comment 16 Caleb Tennis (RETIRED) gentoo-dev 2004-12-14 04:07:49 UTC
Yep, it was a false alarm.  They didn't have their test set up right.  It's all ready now.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-14 08:07:48 UTC
ppc64 please mark stable asap.

Caleb if you change stable markings please note it on the bug.
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-15 22:50:25 UTC
ppc64 please mark stable asap. We're only waiting for you.
Comment 19 Markus Rothe (RETIRED) gentoo-dev 2004-12-16 12:10:58 UTC
kdemultimedia-3.3.2 doesn't compile at the moment on ppc64. I added a bug dependency for that.
Comment 20 Simone Gotti (RETIRED) gentoo-dev 2004-12-18 03:08:25 UTC
corsair: I think you need to mark stable kdemultimedia-3.3.1 e not 3.3.2 that is unstable everywhere.
Comment 21 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-18 03:24:37 UTC
corsair 3.3.2 should not be marked stable yet, only 3.3.1 and 3.2.3. Sorry for the confusion.
Comment 22 Markus Rothe (RETIRED) gentoo-dev 2004-12-18 05:13:19 UTC
ok.. my fault, but it would be nice if you could make your stabilazion request more clear the next time. something like "ppc64 please mark _3.3.1_ stable".

I'm currently merging kde-3.3.1. give my G5 a few hours and I'll mark it stable.

Markus
Comment 23 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-18 05:46:28 UTC
Markus not your fault, I should have noted that, sorry.
Comment 24 Markus Rothe (RETIRED) gentoo-dev 2004-12-18 14:46:33 UTC
finaly stable on ppc64...
Comment 25 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-19 08:46:04 UTC
GLSA 200412-16