| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201110071035.51187.timb@nth-dimension.org.uk> Date: Fri, 7 Oct 2011 10:35:50 +0100 From: Tim Brown <timb@...-dimension.org.uk> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Low severity flaw in various applications including KSSL, Rekonq, Arora, Psi IM I recently discovered that various Qt applications including KSSL (the KDE class library responsible for SSL negotiation), Rekonq, Arora and Psi IM are vulnerable to UI spoofing due to their use of QLabel objects to render externally controlled security critical information. The primary area of concern at this time relates to the named applications SSL certificate dialogue UI however other similar dialogue boxes may also be vulnerable. After discussions with Nokia, KDE and the Rekonq developers the following CVEs have been assigned to this issue: * KSSL - CVE-2011-3365 * Rekonq - CVE-2011-3366 * Arora - CVE-2011-3367 Note that no CVE has yet been assigned to Psi IM. Nokia have also updated the QLabel class section of the Qt documentation to provide updated security information regarding this issue. -- Tim Brown <mailto:timb@...-dimension.org.uk> <http://www.nth-dimension.org.uk/> Download attachment "NDSA20111003.txt.asc" of type "application/pgp-signature" (6857 bytes) Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists