oss-sec mailing list archives
Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications
From: Jeff Mitchell <mitchell () kde org>
Date: Thu, 28 Jul 2011 08:35:23 -0400
On 07/27/2011 04:57 PM, Steven M. Christey wrote:
On Mon, 25 Jul 2011, Jeff Mitchell wrote:The Arora and Rekonq web browsers are also vulnerable to the same attack vector, and other Qt-based programs may be as well. We're working with the Qt team to help enhance their documentation to warn developers to take care sanitizing their inputs, but it's not actually a Qt flaw. So we're a bit unsure how to proceed here.This sounds like a limitation of the Qt API, which can be avoided by programmers who are aware of the limitation. Kind of like how strcpy() can be subject to buffer overflows, *if* the programmer isn't careful. Also happened with confusing return values from certain OpenSSL API functions a couple years ago. (The PHP_SELF example is similar.) So, this should probably get separate CVEs for each application/library that misuses the relevant function(s).
That sounds good. On the KDE side, this is kdelibs, Kleopatra, and Konqueror.
If Qt itself contains misuse of its own functions - which happens sometimes (CVE-2008-5077 for OpenSSL) - then Qt might need its own CVE, too.
As far as I'm aware Qt itself is not affected, but we've not done an exhaustive analysis. Thanks, Jeff
Current thread:
- CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications Jeff Mitchell (Jul 25)
- Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications Steven M. Christey (Jul 27)
- Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications Jeff Mitchell (Jul 28)
- Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications Steven M. Christey (Jul 27)