[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-announce
Subject: [kde-announce] KDE Project Security Advisory: Insufficient Input Validation By IO Slaves and Webkit
From: Albert Astals Cid <aacid () kde ! org>
Date: 2014-11-13 15:11:43
Message-ID: 1850584.khSt8fapl9 () xps
[Download RAW message or body]
KDE Project Security Advisory
=============================
Title: Insufficient Input Validation By IO Slaves and Webkit Part
Risk Rating: Low
CVE: CVE-2014-8600
Platforms: All
Versions: kwebkitpart <= 1.3.4, kde-runtime <= 4.14.3, kio-extras <= 5.1.1
Author: Albert Astals Cid <aacid@kde.org>
Date: 13 November 2014
Overview
========
kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly \
allowing to some javascript being executed on the context of the referenced hostname. \
For example going to \
bookmarks://hhdhdhhdhdhdh.google.com/'><script>alert('bookmarks'+document.domain);</script>
in Konqueror makes a Javascript alert popup.
Impact
======
Whilst in most cases, the JavaScript will be executed in an untrusted context, with \
the bookmarks IO slave, it will be executed in the context of the referenced \
hostname. In the example above, this is hhdhdhhdhdhdh.google.com. It should however \
be noted that KDE mitigates this risk by attempting to ensure that such URLs cannot \
be embedded directly into Internet hosted content.
Solution
========
Update to newer versions of kwebkitpart, kde-runtime, kio-extras when released.
Meanwhile apply the following patches:
kwebkitpart
http://quickgit.kde.org/?p=kwebkitpart.git&a=commit&h=641aa7c75631084260ae89aecbdb625e918c6689
kde-runtime
http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=d68703900edc8416fbcd2550cd336cbbb76decb9
kio-extras
http://quickgit.kde.org/?p=kio-extras.git&a=commit&h=13155c8eb71d1c946bea21c38ea0f8ca7c7013cd
Credits
=======
Thanks to Tim Brown and Darron Burton of Portcullis Security for reporting
Thanks to David Daure and Martin Sandsmark for the patches
_______________________________________________
kde-announce mailing list
kde-announce@kde.org
https://mail.kde.org/mailman/listinfo/kde-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic