Re: Re: Some small KDE issues

[Raphael Geissert <geissert () debian org>]

Tim Brown wrote:
[...]
> Retrospectively, I would go with CVEs for the the following:
>
> * Ark Uses KHTML For Rendering Unknown File Types

I don't think this is an issue on its own. 
Not disabling javascript could be treated as one.
I haven't tried myself, but can plugins be loaded? if that's so then there's
a bigger risk here.

> * KMail Allows Attachment Spoofing

Just like the above.

> * Javascript Enabled On KHTML Based Views By Default

I wouldn't treat that as an issue, I would expect applications to disable
javascript appropriately.

> * KJS/KIO Slaves Enforcing Broken Same Origin Policy

Agreed.

> Note that KDE's fix for the latter has caused some complaints, something
> that I suspect they were mindful of when we discussed the issues:
>
> * http://forum.kde.org/viewtopic.php?f=18&t=83649

Sure, not allowing xmlhttprequest when the context and the request are both
file:// should have been expected to cause disruptions.

> On top of this we have a raft of IO slave related vulnerabilities (which
> KDE,
> oCERT and Portcullis agreed about) .  I'm not sure what the status of each
> of these is, as Thomas alluded to they were fixed at various times (I'm
> not even
> 100% sure they're all fixed now).  I would create another CVE for these.

Further investigation is needed. If they were fixed at different times they
might each deserve their own CVE.

> Finally, there is the issue with KWallet which KDE never addressed.  The
> closest I got to an answer regarding this was that users complained too
> much even now about the matching, so adding additional restrictions were
> unwelcome.

No matter what they say or do, this is an issue.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net