332069 – (CVE-2010-2536) www-client/rekonq XSS (CVE-2010-2536)

Bug 332069 (CVE-2010-2536) - www-client/rekonq XSS (CVE-2010-2536)

Summary: www-client/rekonq XSS (CVE-2010-2536)

Status:	RESOLVED FIXED

Alias:	CVE-2010-2536

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	https://bugs.kde.org/show_bug.cgi?id=...
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-08-10 15:16 UTC by Alex Legler (RETIRED)
Modified:	2010-10-14 22:09 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2010-08-10 15:16:33 UTC

CVE-2010-2536 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2536):
  Multiple cross-site scripting (XSS) vulnerabilities in rekonq 0.5 and
  earlier allow remote attackers to inject arbitrary web script or HTML
  via (1) a URL associated with a nonexistent domain name, related to
  webpage.cpp, aka a "universal XSS" issue; (2) unspecified vectors
  related to webview.cpp; and the about: views for (3) favorites, (4)
  bookmarks, (5) closed tabs, and (6) history.

Comment 1 Theo Chatzimichos (RETIRED) archtester

2010-10-14 14:59:22 UTC

I've added in tree www-client/rekonq-0.5-r1 which has a patch that fixes this security issue. The patch is taken from the upstream bug [1], I've contacted upstream and they said that this patch is sufficient

[1] https://bugs.kde.org/show_bug.cgi?id=217464

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2010-10-14 22:09:52 UTC

Thank you!

Closing noglsa, as there never was a stable version.