[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: Re: Some small KDE issues
From: Raphael Geissert <geissert () debian ! org>
Date: 2009-12-17 4:26:25
Message-ID: hgcbtc$5ne$1 () ger ! gmane ! org
[Download RAW message or body]
Tim Brown wrote:
[...]
> Retrospectively, I would go with CVEs for the the following:
>
> * Ark Uses KHTML For Rendering Unknown File Types
I don't think this is an issue on its own.
Not disabling javascript could be treated as one.
I haven't tried myself, but can plugins be loaded? if that's so then there's
a bigger risk here.
> * KMail Allows Attachment Spoofing
Just like the above.
> * Javascript Enabled On KHTML Based Views By Default
I wouldn't treat that as an issue, I would expect applications to disable
javascript appropriately.
> * KJS/KIO Slaves Enforcing Broken Same Origin Policy
Agreed.
>
> Note that KDE's fix for the latter has caused some complaints, something
> that I suspect they were mindful of when we discussed the issues:
>
> * http://forum.kde.org/viewtopic.php?f=18&t=83649
Sure, not allowing xmlhttprequest when the context and the request are both
file:// should have been expected to cause disruptions.
>
> On top of this we have a raft of IO slave related vulnerabilities (which
> KDE,
> oCERT and Portcullis agreed about) . I'm not sure what the status of each
> of these is, as Thomas alluded to they were fixed at various times (I'm
> not even
> 100% sure they're all fixed now). I would create another CVE for these.
Further investigation is needed. If they were fixed at different times they
might each deserve their own CVE.
>
> Finally, there is the issue with KWallet which KDE never addressed. The
> closest I got to an answer regarding this was that users complained too
> much even now about the matching, so adding additional restrictions were
> unwelcome.
>
No matter what they say or do, this is an issue.
Regards,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic