FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

kdelibs4, rekonq -- input validation failure

Affected packages
4.0.* <= kdelibs < 4.7.2
rekonq < 0.8.0

Details

VuXML ID 6d21a287-fce0-11e0-a828-00235a5f2c9a
Discovery 2011-10-03
Entry 2011-10-23

KDE Security Advisory reports:

The default rendering type for a QLabel is QLabel::AutoText, which uses heuristics to determine whether to render the given content as plain text or rich text. KSSL and Rekonq did not properly force its QLabels to use QLabel::PlainText. As a result, if given a certificate containing rich text in its fields, they would render the rich text. Specifically, a certificate containing a common name (CN) that has a table element will cause the second line of the table to be displayed. This can allow spoofing of the certificate's common name.

References

CVE Name CVE-2011-3365
CVE Name CVE-2011-3366
URL http://www.kde.org/info/security/advisory-20111003-1.txt
URL http://www.nth-dimension.org.uk/pub/NDSA20111003.txt.asc