lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201110071035.51187.timb@nth-dimension.org.uk>
Date: Fri, 7 Oct 2011 10:35:50 +0100
From: Tim Brown <timb@...-dimension.org.uk>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Low severity flaw in various applications including KSSL, Rekonq, Arora, Psi IM

I recently discovered that various Qt applications including KSSL (the KDE 
class library responsible for SSL negotiation), Rekonq, Arora and Psi IM are 
vulnerable to UI spoofing due to their use of QLabel objects to render 
externally controlled security critical information.  The primary area of 
concern at this time relates to the named applications SSL certificate dialogue 
UI however other similar dialogue boxes may also be vulnerable.

After discussions with Nokia, KDE and the Rekonq developers the following
CVEs have been assigned to this issue:

* KSSL - CVE-2011-3365
* Rekonq - CVE-2011-3366
* Arora - CVE-2011-3367

Note that no CVE has yet been assigned to Psi IM.  Nokia have also
updated the QLabel class section of the Qt documentation to provide
updated security information regarding this issue.
-- 
Tim Brown
<mailto:timb@...-dimension.org.uk>
<http://www.nth-dimension.org.uk/>

Download attachment "NDSA20111003.txt.asc" of type "application/pgp-signature" (6857 bytes)

Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ