oss-sec mailing list archives

Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications

From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Wed, 27 Jul 2011 16:57:32 -0400 (EDT)


On Mon, 25 Jul 2011, Jeff Mitchell wrote:

The Arora and Rekonq web browsers are also vulnerable to the same attack
vector, and other Qt-based programs may be as well. We're working with
the Qt team to help enhance their documentation to warn developers to
take care sanitizing their inputs, but it's not actually a Qt flaw. So
we're a bit unsure how to proceed here.

This sounds like a limitation of the Qt API, which can be avoided byprogrammers who are aware of the limitation. Kind of like how strcpy()can be subject to buffer overflows, *if* the programmer isn't careful.Also happened with confusing return values from certain OpenSSL APIfunctions a couple years ago. (The PHP_SELF example is similar.) So,this should probably get separate CVEs for each application/library thatmisuses the relevant function(s).

If Qt itself contains misuse of its own functions - which happenssometimes (CVE-2008-5077 for OpenSSL) - then Qt might need its own CVE,too.


- Steve

Current thread:

CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications Jeff Mitchell (Jul 25)
- Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications Steven M. Christey (Jul 27)
  - Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications Jeff Mitchell (Jul 28)
    - Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications Josh Bressers (Jul 29)
    - Re: CVE: Input validation failure affecting multiple KDE applications, as well as many other Qt-based applications Jeff Mitchell (Jul 31)