[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201110071035.51187.timb@nth-dimension.org.uk>
Date: Fri, 7 Oct 2011 10:35:50 +0100
From: Tim Brown <timb@...-dimension.org.uk>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Low severity flaw in various applications including KSSL, Rekonq, Arora, Psi IM
I recently discovered that various Qt applications including KSSL (the KDE
class library responsible for SSL negotiation), Rekonq, Arora and Psi IM are
vulnerable to UI spoofing due to their use of QLabel objects to render
externally controlled security critical information. The primary area of
concern at this time relates to the named applications SSL certificate dialogue
UI however other similar dialogue boxes may also be vulnerable.
After discussions with Nokia, KDE and the Rekonq developers the following
CVEs have been assigned to this issue:
* KSSL - CVE-2011-3365
* Rekonq - CVE-2011-3366
* Arora - CVE-2011-3367
Note that no CVE has yet been assigned to Psi IM. Nokia have also
updated the QLabel class section of the Qt documentation to provide
updated security information regarding this issue.
--
Tim Brown
<mailto:timb@...-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
Download attachment "NDSA20111003.txt.asc" of type "application/pgp-signature" (6857 bytes)
Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists