I'm probably not the right person to write this mail but someone
should do it... (excuse me)
Today we have a visit on IRC telling us about a security issue which
this person reported to security@kde.org; and as he got no response
the issue was published...
We aren't sure who is in charge of that mailbox, but may be it should
be reviewed (or the policy of sending security issues to
security@kde.org).
I have a copy of the IRC log mentioning the person who complained and
the security issue webpage explaining the issue...
Some person should take care of this issue... the questions is "who?"
Greetings
Dar
should do it... (excuse me)
Today we have a visit on IRC telling us about a security issue which
this person reported to security@kde.org; and as he got no response
the issue was published...
We aren't sure who is in charge of that mailbox, but may be it should
be reviewed (or the policy of sending security issues to
security@kde.org).
I have a copy of the IRC log mentioning the person who complained and
the security issue webpage explaining the issue...
Some person should take care of this issue... the questions is "who?"
Greetings
Dar
2010/3/20 Dar
On 3/20/2010 2:06 PM, Dar
2010/3/20 Jeff Mitchell:
Just to he doesn't get a dozen private emails from others about it:
I just emailed Jeff the IRC log with the relevant information.
Parker
Just to he doesn't get a dozen private emails from others about it:
I just emailed Jeff the IRC log with the relevant information.
Parker
OK, thanks to the person who forwarded the info about which issue this was.
The person sent some information in Italian which Marco Martin
translated as the following:
[begin]
Good morning,
Attached there is a confidential document about a new tecnique that
shows the basis for potential attacks to Qt desktop applications.
We did some audits and seems that all KDE Applications are vulnerable.
We'll do the technical public disclosure on March 16 2010 at the
Security Summit 2010 in Milan.
For any information please don't hesitate to contact me.
[end]
Richard Moore did an analysis of the information we were given and had
the following to say:
"As I said, I don't think there is a security issue though once I've
read the examples in more detail that may change. Processes running as
the user can inject these links, but they can also delete all the user's
files etc. There is an issue if external resources can create these
links in content that appears to be part of an applications chrome
however."
I suggested that if there was indeed a Qt flaw (which was affecting KDE
applications) that we should see if he submitted it upstream to Nokia,
as that would be the proper place. Richard responded:
"There's no flaw in Qt shown here. There could be circumstances where
there is a flaw in a particular application or kdelibs class however.
I need to read the example code in more detail to check what they
show."
Marco then followed up:
"sorry if i did not got back before to it.
I've read the part about Qt attacks, and as Rich noted, they are all
about ui alteration, doesn't seems to be anything related to code
execution.
as i said if a translation of a piece is needed no problem, but in the
text there is almost zero technical content, only things remotely
useful are the code snippets."
So, the current state is: almost no technical content in the paper, a
claim that (partially as a result) cannot really be verified as a
security issue, and one that may be upstream of us if it actually exists
at all.
I guess nobody got back to him...not sure if this was forgotten about or
if nobody simply had anything to say.
--Jeff
The person sent some information in Italian which Marco Martin
translated as the following:
[begin]
Good morning,
Attached there is a confidential document about a new tecnique that
shows the basis for potential attacks to Qt desktop applications.
We did some audits and seems that all KDE Applications are vulnerable.
We'll do the technical public disclosure on March 16 2010 at the
Security Summit 2010 in Milan.
For any information please don't hesitate to contact me.
[end]
Richard Moore did an analysis of the information we were given and had
the following to say:
"As I said, I don't think there is a security issue though once I've
read the examples in more detail that may change. Processes running as
the user can inject these links, but they can also delete all the user's
files etc. There is an issue if external resources can create these
links in content that appears to be part of an applications chrome
however."
I suggested that if there was indeed a Qt flaw (which was affecting KDE
applications) that we should see if he submitted it upstream to Nokia,
as that would be the proper place. Richard responded:
"There's no flaw in Qt shown here. There could be circumstances where
there is a flaw in a particular application or kdelibs class however.
I need to read the example code in more detail to check what they
show."
Marco then followed up:
"sorry if i did not got back before to it.
I've read the part about Qt attacks, and as Rich noted, they are all
about ui alteration, doesn't seems to be anything related to code
execution.
as i said if a translation of a piece is needed no problem, but in the
text there is almost zero technical content, only things remotely
useful are the code snippets."
So, the current state is: almost no technical content in the paper, a
claim that (partially as a result) cannot really be verified as a
security issue, and one that may be upstream of us if it actually exists
at all.
I guess nobody got back to him...not sure if this was forgotten about or
if nobody simply had anything to say.
--Jeff
That's my bad, I should have got back to him. As Jeff says though, the
paper did not appear to demonstrate a security issue.
Regards
Rich.
2010/3/21 Jeff Mitchell :
paper did not appear to demonstrate a security issue.
Regards
Rich.
2010/3/21 Jeff Mitchell :
Please delete sysadmin from the cc list. sysadmin != security.
If the security alias needs to point to other addresses you can file a sysadmin bug report.
Best,
Toma
If the security alias needs to point to other addresses you can file a sysadmin bug report.
Best,
Toma
Related Threads
- PATCH - tests: A new test prereq for testing chmod -w as root - linux-git
- rules-users - Bug: ActivationCreatedEvent - Activation: InitialFactImpl in Object set - jboss-rules-users
- android-developers - Populating custom layout from xml resource. - android-developers
- Compiling dhcpd 3.1-ESV on AIX 5.3 - dhcp-users
- Reg: implementation of AUGMENTS - net-snmp-coders
- Question on updating dcerpc_Foo calls to new API - samba-technical
- Advanced Search, several Keywords doesn't work - support-bugzilla
- asterisk-users - Play a number of files to a caller - asterisk-users
- Re: martini - Call for Consensus: Support for Public GRUUs (calling for service provider input) - ietf-martini