[Bug 857437] Re: Embargoed security issue (until 10/3)

Jamie Strandboge jamie at ubuntu.com
Fri Oct 14 17:18:35 UTC 2011 

arora is only affected if qt is compiled without ssl support. Marking
"Won't Fix".

** Changed in: arora (Ubuntu)
       Status: In Progress => Won't Fix

** Changed in: arora (Ubuntu)
     Assignee: Jamie Strandboge (jdstrand) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/857437

Title:
  Embargoed security issue (until 10/3)

Status in “arora” package in Ubuntu:
  Won't Fix
Status in “kde4libs” package in Ubuntu:
  In Progress
Status in “rekonq” package in Ubuntu:
  Fix Released

Bug description:
  This is from the private KDE packagers mailing list.

  Hello packagers,

  This issue is embargoed until October 3rd.

  On October 3rd we will release a security advisory (20111003-1)
  regarding QLable spoofing. Tim Brown of Nth Dimension
  (timb at nth-dimension.org.uk) notified us that various dialog boxes are
  able to be spoofed because QLabel's default behavior, rich text, is not
  properly changed to plain text in important locations.

  The CVEs are the following:

  CVE-2011-3365 KDE KSSL
  CVE-2011-3366 KDE Rekonq
  CVE-2011-3367 Arora

  As you can see, this affects multiple products, and not just KDE
  products. At this time we have CVEs for KSSL, Rekonq, and Arora. I don't
  have commit IDs for the last two, but I suggest checking with the
  project maintainers or looking at their commit logs for the fixes
  (keeping in mind the embargo, so private communication please).

  The patch for KSSL for 4.6 is 9ca2b26fc67c3f921e1943c1725fca623e395854
  and the patch for 4.7 is bd70d4e589711fda9ab07738c46e37eee8376214.

  It is quite possible that Kleopatra will receive a CVE as well; I'll
  update you on the status of that as I can.

  Finally, we've been in touch with Qt maintainers. They will be posting a
  blog article reminding developers to be careful with QLabel sanitizing,
  and put a warning in the API documentation as well.

  Thanks,
  Jeff

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/arora/+bug/857437/+subscriptions

More information about the Ubuntu-sponsors mailing list