qt: "/../" injection [LWN.net]

Package(s):

CVE #(s):

CVE-2007-0242

Created:

April 4, 2007

Updated:

September 13, 2007

Description:

Andreas Nolden discovered a bug in qt3, where the UTF8 decoder does not reject overlong sequences, which can cause "/../" injection or (in the case of konqueror) a "<script>" tag injection.

Alerts:

CentOS	CESA-2011:1324	2011-09-22
Scientific Linux	SL-qt4-20110921	2011-09-21
Red Hat	RHSA-2011:1324-01	2011-09-21
Red Hat	RHSA-2007:0883-01	2007-09-13
Debian	DSA-1292-1	2007-05-15
SuSE	SUSE-SR:2007:006	2007-04-13
Ubuntu	USN-452-1	2007-04-11
Mandriva	MDKSA-2007:075-1	2007-04-10
rPath	rPSA-2007-0066-1	2007-04-04
Slackware	SSA:2007-093-03	2007-04-04
Mandriva	MDKSA-2007:075	2007-04-03
Mandriva	MDKSA-2007:076	2007-04-03
Mandriva	MDKSA-2007:074	2007-04-03

(Log in to post comments)

qt: "/../" injection

Posted Apr 9, 2007 1:55 UTC (Mon) by jengelh (subscriber, #33263) [Link]

Funny how this could happen, given that the UTF-8 spec [or its summary description on internet pages, respectively] say that overlong sequences should be rejected to exactly not run into this problem.

UTF-8 redundancy

Posted Apr 12, 2007 11:39 UTC (Thu) by ldo (subscriber, #40946) [Link]

As I recall, the proscription against the use of redundant UTF-8 encodings was not in the original spec, it was added later when it became apparent that it broke security code that was doing pattern matches against a bytestream without understanding that it was UTF-8 encoded.

Personally, I have a fondness for encodings that avoid such redundancies altogether.