About security at kde.org

Richard Moore richmoore44 at gmail.com
Mon Mar 22 12:56:49 GMT 2010

That's my bad, I should have got back to him. As Jeff says though, the
paper did not appear to demonstrate a security issue.



2010/3/21 Jeff Mitchell <mitchell at kde.org>:
> OK, thanks to the person who forwarded the info about which issue this was.
> The person sent some information in Italian which Marco Martin
> translated as the following:
> [begin]
> Good morning,
> Attached there is a confidential document about a new tecnique that
> shows the basis for potential attacks to Qt desktop applications.
> We did some audits and seems that all KDE Applications are vulnerable.
> We'll do the technical public disclosure on March 16 2010 at the
> Security Summit 2010 in Milan.
> For any information please don't hesitate to contact me.
> [end]
> Richard Moore did an analysis of the information we were given and had
> the following to say:
> "As I said, I don't think there is a security issue though once I've
> read the examples in more detail that may change. Processes running as
> the user can inject these links, but they can also delete all the user's
> files etc. There is an issue if external resources can create these
> links in  content that appears to be part of an applications chrome
> however."
> I suggested that if there was indeed a Qt flaw (which was affecting KDE
> applications) that we should see if he submitted it upstream to Nokia,
> as that would be the proper place. Richard responded:
> "There's no flaw in Qt shown here. There could be circumstances where
> there is a flaw in a particular application or kdelibs class however.
> I need to read the example code in more detail to check what they
> show."
> Marco then followed up:
> "sorry if i did not got back before to it.
> I've read the part about Qt attacks, and as Rich noted, they are all
> about ui alteration, doesn't seems to be anything related to code
> execution.
> as i said if a translation of a piece is needed no problem, but in the
> text there is almost zero technical content, only things remotely
> useful are the code snippets."
> So, the current state is: almost no technical content in the paper, a
> claim that (partially as a result) cannot really be verified as a
> security issue, and one that may be upstream of us if it actually exists
> at all.
> I guess nobody got back to him...not sure if this was forgotten about or
> if nobody simply had anything to say.
> --Jeff

More information about the kde-core-devel mailing list