Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications

[Jeff Mitchell <mitchell () kde org>]

On 07/27/2011 04:57 PM, Steven M. Christey wrote:
> On Mon, 25 Jul 2011, Jeff Mitchell wrote:
>
> > The Arora and Rekonq web browsers are also vulnerable to the same attack
> > vector, and other Qt-based programs may be as well. We're working with
> > the Qt team to help enhance their documentation to warn developers to
> > take care sanitizing their inputs, but it's not actually a Qt flaw. So
> > we're a bit unsure how to proceed here.
>
> This sounds like a limitation of the Qt API, which can be avoided by
> programmers who are aware of the limitation.  Kind of like how strcpy()
> can be subject to buffer overflows, *if* the programmer isn't careful.
> Also happened with confusing return values from certain OpenSSL API
> functions a couple years ago.  (The PHP_SELF example is similar.)  So,
> this should probably get separate CVEs for each application/library that
> misuses the relevant function(s).

That sounds good. On the KDE side, this is kdelibs, Kleopatra, and
Konqueror.

> If Qt itself contains misuse of its own functions - which happens
> sometimes (CVE-2008-5077 for OpenSSL) - then Qt might need its own CVE,
> too.

As far as I'm aware Qt itself is not affected, but we've not done an
exhaustive analysis.

Thanks,
Jeff