[Bug 857437] [NEW] Embargoed security issue (until 10/3)

[Launchpad Bug Tracker]

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Ubuntu QA's Bug Bot (crichton):

This is from the private KDE packagers mailing list.

Hello packagers,

This issue is embargoed until October 3rd.

On October 3rd we will release a security advisory (20111003-1)
regarding QLable spoofing. Tim Brown of Nth Dimension
(timb at nth-dimension.org.uk) notified us that various dialog boxes are
able to be spoofed because QLabel's default behavior, rich text, is not
properly changed to plain text in important locations.

The CVEs are the following:

CVE-2011-3365 KDE KSSL
CVE-2011-3366 KDE Rekonq
CVE-2011-3367 Arora

As you can see, this affects multiple products, and not just KDE
products. At this time we have CVEs for KSSL, Rekonq, and Arora. I don't
have commit IDs for the last two, but I suggest checking with the
project maintainers or looking at their commit logs for the fixes
(keeping in mind the embargo, so private communication please).

The patch for KSSL for 4.6 is 9ca2b26fc67c3f921e1943c1725fca623e395854
and the patch for 4.7 is bd70d4e589711fda9ab07738c46e37eee8376214.

It is quite possible that Kleopatra will receive a CVE as well; I'll
update you on the status of that as I can.

Finally, we've been in touch with Qt maintainers. They will be posting a
blog article reminding developers to be careful with QLabel sanitizing,
and put a warning in the API documentation as well.

Thanks,
Jeff

** Affects: arora (Ubuntu)
     Importance: Undecided
         Status: Confirmed

** Affects: kde4libs (Ubuntu)
     Importance: Undecided
         Status: Confirmed

** Affects: rekonq (Ubuntu)
     Importance: Undecided
         Status: Fix Released


** Tags: patch
-- 
Embargoed security issue (until 10/3)
https://bugs.launchpad.net/bugs/857437
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.