About security at kde.org

Jeff Mitchell mitchell at kde.org
Sun Mar 21 03:29:26 GMT 2010 

OK, thanks to the person who forwarded the info about which issue this was.

The person sent some information in Italian which Marco Martin
translated as the following:

[begin]
Good morning,

Attached there is a confidential document about a new tecnique that
shows the basis for potential attacks to Qt desktop applications.

We did some audits and seems that all KDE Applications are vulnerable.

We'll do the technical public disclosure on March 16 2010 at the
Security Summit 2010 in Milan.

For any information please don't hesitate to contact me.
[end]

Richard Moore did an analysis of the information we were given and had
the following to say:

"As I said, I don't think there is a security issue though once I've
read the examples in more detail that may change. Processes running as
the user can inject these links, but they can also delete all the user's
files etc. There is an issue if external resources can create these
links in  content that appears to be part of an applications chrome
however."

I suggested that if there was indeed a Qt flaw (which was affecting KDE
applications) that we should see if he submitted it upstream to Nokia,
as that would be the proper place. Richard responded:

"There's no flaw in Qt shown here. There could be circumstances where
there is a flaw in a particular application or kdelibs class however.
I need to read the example code in more detail to check what they
show."

Marco then followed up:

"sorry if i did not got back before to it.
I've read the part about Qt attacks, and as Rich noted, they are all
about ui alteration, doesn't seems to be anything related to code
execution.

as i said if a translation of a piece is needed no problem, but in the
text there is almost zero technical content, only things remotely
useful are the code snippets."


So, the current state is: almost no technical content in the paper, a
claim that (partially as a result) cannot really be verified as a
security issue, and one that may be upstream of us if it actually exists
at all.

I guess nobody got back to him...not sure if this was forgotten about or
if nobody simply had anything to say.

--Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20100320/01fbbd34/attachment.sig>

More information about the kde-core-devel mailing list