Bug 14582

Summary: kdebase4-runtime, kwebkitpart new security issue CVE-2014-8600
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, lmenut, olchal, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/622609/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK MGA3-64-OK advisory
Source RPM: kdebase4-runtime-4.12.5-1.1.mga4.src.rpm, kwebkitpart-1.3.2-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-11-17 05:52:49 CET 
Upstream has issued an advisory on November 13:
https://www.kde.org/info/security/advisory-20141113-1.txt

The RedHat bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1164293

kdebase4-runtime in Cauldron is also still affected (as far as I know).

Mageia 3 is also affected.  I don't know if we'll have time to get an update out for it (we can if we move fast), but it sounds like a very minor issue.

I've committed and built updates for kwebkitpart already, but kdebase4-runtime still needs to be addressed.  The "kde-runtime" commit linked in the advisory would be the one needed to fix the issue in kdebase4-runtime.

Packages built so far:
kwebkitpart-1.3.2-1.1.mga3
kwebkitpart-1.3.2-3.1.mga4

Reproducible: 

Steps to Reproduce:
David Walser 2014-11-17 05:53:03 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-11-17 15:24:56 CET 
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

From the KDE advisory, the PoC is to enter this URL into Konqueror and see that it pops up a messagebox:
bookmarks://hhdhdhhdhdhdh.google.com/'><script>alert('bookmarks'+document.domain);</script>

Advisory:
========================

Updated kdebase4-runtime and kwebkitpart packages fix security vulnerability:

kwebkitpart and the bookmarks:// io slave were not sanitizing input correctly
allowing to some javascript being executed on the context of the referenced
hostname (CVE-2014-8600).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8600
https://www.kde.org/info/security/advisory-20141113-1.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1164293
========================

Updated packages in core/updates_testing:
========================
kdebase4-runtime-4.10.5-1.2.mga3
kdebase4-runtime-handbook-4.10.5-1.2.mga3
nepomuk-4.10.5-1.2.mga3
kwallet-daemon-4.10.5-1.2.mga3
libkwalletbackend4-4.10.5-1.2.mga3
libmolletnetwork4-4.10.5-1.2.mga3
kdebase4-runtime-devel-4.10.5-1.2.mga3
kwebkitpart-1.3.2-1.1.mga3
kdebase4-runtime-4.12.5-1.2.mga4
kdebase4-runtime-handbook-4.12.5-1.2.mga4
nepomuk-4.12.5-1.2.mga4
kwallet-daemon-4.12.5-1.2.mga4
libkwalletbackend4-4.12.5-1.2.mga4
libmolletnetwork4-4.12.5-1.2.mga4
kdebase4-runtime-devel-4.12.5-1.2.mga4
kwebkitpart-1.3.2-3.1.mga4

from SRPMS:
kdebase4-runtime-4.10.5-1.2.mga3.src.rpm
kwebkitpart-1.3.2-1.1.mga3.src.rpm
kdebase4-runtime-4.12.5-1.2.mga4.src.rpm
kwebkitpart-1.3.2-3.1.mga4.src.rpm

CC: (none) => lmenut
Assignee: lmenut => qa-bugs
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 David Walser 2014-11-17 16:39:55 CET 
Verified that the PoC is fixed and Konqueror still works fine, Mageia 3 i586 and Mageia 4 i586.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 3 David GEIGER 2014-11-18 20:13:43 CET 
Tested mga4_64, real hardware

Testing complete for the new kdebase4-runtime-4.12.5-1.2.mga4 and kwebkitpart-1.3.2-3.1.mga4 update, Ok for me.
All seems to work properly here and nothing to report.

I confirm that the PoC is fixed too here.

CC: (none) => geiger.david68210
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK

Comment 4 olivier charles 2014-11-18 21:47:59 CET 
Testing on Mageia 3-64 real HW

Current packages :
----------------
$ rpm -q kdebase4-runtime kwebkitpart
kdebase4-runtime-4.10.5-1.1.mga3
kwebkitpart-1.3.2-1.mga3

Could reproduce PoC.

Updated to testing packages :
---------------------------

- kdebase4-runtime-4.10.5-1.2.mga3.x86_64
- kdebase4-runtime-handbook-4.10.5-1.2.mga3.noarch
- kwallet-daemon-4.10.5-1.2.mga3.x86_64
- kwebkitpart-1.3.2-1.1.mga3.x86_64
- lib64kwalletbackend4-4.10.5-1.2.mga3.x86_64
- lib64molletnetwork4-4.10.5-1.2.mga3.x86_64
- nepomuk-4.10.5-1.2.mga3.x86_64

PoC fixed, KDE + Konqueror OK

CC: (none) => olchal
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK MGA3-64-OK

Comment 5 RĂ©mi Verschelde 2014-11-19 13:29:27 CET 
Validating. Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK MGA3-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK MGA3-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 6 Mageia Robot 2014-11-21 13:46:00 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0478.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-21 19:02:11 CET

URL: (none) => http://lwn.net/Vulnerabilities/622609/