[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security]  Re: Re: Some small KDE issues
From:       Raphael Geissert <geissert () debian ! org>
Date:       2009-12-17 4:26:25
Message-ID: hgcbtc$5ne$1 () ger ! gmane ! org
[Download RAW message or body]

Tim Brown wrote:
[...]
> Retrospectively, I would go with CVEs for the the following:
> 
> * Ark Uses KHTML For Rendering Unknown File Types

I don't think this is an issue on its own. 
Not disabling javascript could be treated as one.
I haven't tried myself, but can plugins be loaded? if that's so then there's
a bigger risk here.

> * KMail Allows Attachment Spoofing

Just like the above.

> * Javascript Enabled On KHTML Based Views By Default

I wouldn't treat that as an issue, I would expect applications to disable
javascript appropriately.

> * KJS/KIO Slaves Enforcing Broken Same Origin Policy

Agreed.

> 
> Note that KDE's fix for the latter has caused some complaints, something
> that I suspect they were mindful of when we discussed the issues:
> 
> * http://forum.kde.org/viewtopic.php?f=18&t=83649

Sure, not allowing xmlhttprequest when the context and the request are both
file:// should have been expected to cause disruptions.

> 
> On top of this we have a raft of IO slave related vulnerabilities (which
> KDE,
> oCERT and Portcullis agreed about) .  I'm not sure what the status of each
> of these is, as Thomas alluded to they were fixed at various times (I'm
> not even
> 100% sure they're all fixed now).  I would create another CVE for these.

Further investigation is needed. If they were fixed at different times they
might each deserve their own CVE.

> 
> Finally, there is the issue with KWallet which KDE never addressed.  The
> closest I got to an answer regarding this was that users complained too
> much even now about the matching, so adding additional restrictions were
> unwelcome.
> 

No matter what they say or do, this is an issue.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


[prev in list] [next in list] [prev in thread] [next in thread]