[gentoo-security] [Fwd: [kde-announce] KDE Security Advisory: URI Handler Vulnerabilities] - gentoo-security

From:	Eldad Zack <eldad@××××××××××××××.cx>
To:	gentoo-security@l.g.o
Subject:	[gentoo-security] [Fwd: [kde-announce] KDE Security Advisory: URI Handler Vulnerabilities]
Date:	Mon, 17 May 2004 18:54:29
Message-Id:	`1084797841.816.6.camel@warlock`

1

Hi.

2

3

This was just announced.

4

5

I've opened a bug for it as well:

6

http://bugs.gentoo.org/show_bug.cgi?id=51274

7

8

9

-----Forwarded Message-----

10

From: Waldo Bastian <bastian@×××.org>

11

To: kde-announce@×××.org, bugtraq@×××××××××××××.com

12

Cc: security@×××.org, kde-packager@×××.org, vendor-sec@×××.de

13

Subject: [kde-announce] KDE Security Advisory: URI Handler Vulnerabilities

14

Date: Mon, 17 May 2004 13:02:01 +0200

15

16

-----BEGIN PGP SIGNED MESSAGE-----

17

Hash: SHA1

18

19

KDE Security Advisory: URI Handler Vulnerabilities

20

Original Release Date: 2004-05-17

21

URL: http://www.kde.org/info/security/advisory-20040517-1.txt

22

23

0. References

24

25

	http://www.idefense.com/application/poi/display?id=104

26

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411

27

        http://www.securityfocus.com/archive/1/363225

28

29

1. Systems affected:

30

31

        All versions of KDE up to KDE 3.2.2 inclusive. 

32

33

34

2. Overview:

35

36

        iDEFENSE identified a vulnerability in the Opera Web Browser

37

        that could allow remote attackers to create or truncate

38

        arbitrary files. The KDE team has found that similar

39

        vulnerabilities exists in KDE.

40

41

        The telnet, rlogin, ssh and mailto URI handlers in KDE do not

42

        check for '-' at the beginning of the hostname passed, which

43

        makes it possible to pass an option to the programs started

44

        by the handlers.

45

46

        The Common Vulnerabilities and Exposures project (cve.mitre.org)

47

        has assigned the name CAN-2004-0411 to this issue.

48

49

50

3. Impact:

51

52

        A remote attacker could entice a user to open a carefully crafted

53

        telnet URI which may either create or truncate a file anywhere 

54

        where the victim has permission to do so. In KDE 3.2 and later

55

        versions the user is first explicitly asked to confirm the opening

56

        of the telnet URI.

57

58

        A remote attacker could entice a user to open a carefully crafted

59

        mailto URI which may start the KMail program with its display 

60

        redirected to a remote machine under control of the attacker.

61

        An attacker can then use this to gain full access to the victims

62

        personal files and account.

63

64

        An attacker could entice a user to open a carefully crafted

65

        mailto URI which may start the KMail program using a configuration

66

        file specified by the attacker. If the attacker is able to install

67

        arbitrary files somewhere on the machine, the attacker can include

68

        commands in the configuration file which will be executed with the

69

        privileges of the victim allowing the attacker to gain full access

70

        to the victims personal files and account.

71

72

4. Solution:

73

74

        Source code patches have been made available which fix these

75

        vulnerabilities. Contact your OS vendor / binary package provider

76

        for information about how to obtain updated binary packages.

77

78

79

5. Patch:

80

81

        Patches for KDE 3.0.5b are available from

82

        ftp://ftp.kde.org/pub/kde/security_patches : 

83

84

  5c573853ec3f426d33c559958baa2169  post-3.0.5b-kdelibs-kapplication.patch

85

  eaf9237b3af56b3b01df966b13fe2714  post-3.0.5b-kdelibs-ktelnetservice.patch

86

87

        Patches for KDE 3.1.5 are available from

88

        ftp://ftp.kde.org/pub/kde/security_patches : 

89

90

  7c2bda942c4183d4163eb3f47f22e0bc  post-3.1.5-kdelibs-kapplication.patch

91

  bde52aa0bba055c4f678540ec20bfe5a  post-3.1.5-kdelibs-ktelnetservice.patch

92

93

        Patches for KDE 3.2.2 are available from

94

        ftp://ftp.kde.org/pub/kde/security_patches : 

95

96

  7cebc1abb3141287db618486fd679b32  post-3.2.2-kdelibs-kapplication.patch

97

  52e0e955204a77781505d33b9a3c341d  post-3.2.2-kdelibs-ktelnetservice.patch

98

99

100

6. Time line and credits:

101

102

        02/04/2003 Exploit acquired by iDEFENSE

103

	12/05/2004 Public disclosure of Opera vulnerability

104

        13/05/2004 KDE Team informed by Martin Ostertag

105

	13/05/2004 Patches created

106

	14/05/2004 Vendors notified

107

	14/05/2004 Patches created for mailto problem.

108

        17/05/2004 Public advisory

109

110

-----BEGIN PGP SIGNATURE-----

111

Version: GnuPG v1.2.2 (GNU/Linux)

112

113

iD8DBQFAqJGON4pvrENfboIRAms1AJ4hAlt1Hq1Ar41XDmYnmOx4U9BnVQCcD5UY

114

4lO8evQJXo5R0Z9BGjkUXZQ=

115

=rj5C

116

-----END PGP SIGNATURE-----

117

_______________________________________________

118

kde-announce mailing list

119

kde-announce@×××.org

120

https://mail.kde.org/mailman/listinfo/kde-announce

121

122

123

--

124

gentoo-security@g.o mailing list

1	Hi.
2
3	This was just announced.
4
5	I've opened a bug for it as well:
6	http://bugs.gentoo.org/show_bug.cgi?id=51274
7
8
9	-----Forwarded Message-----
10	From: Waldo Bastian <bastian@×××.org>
11	To: kde-announce@×××.org, bugtraq@×××××××××××××.com
12	Cc: security@×××.org, kde-packager@×××.org, vendor-sec@×××.de
13	Subject: [kde-announce] KDE Security Advisory: URI Handler Vulnerabilities
14	Date: Mon, 17 May 2004 13:02:01 +0200
15
16	-----BEGIN PGP SIGNED MESSAGE-----
17	Hash: SHA1
18
19	KDE Security Advisory: URI Handler Vulnerabilities
20	Original Release Date: 2004-05-17
21	URL: http://www.kde.org/info/security/advisory-20040517-1.txt
22
23	0. References
24
25	http://www.idefense.com/application/poi/display?id=104
26	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411
27	http://www.securityfocus.com/archive/1/363225
28
29	1. Systems affected:
30
31	All versions of KDE up to KDE 3.2.2 inclusive.
32
33
34	2. Overview:
35
36	iDEFENSE identified a vulnerability in the Opera Web Browser
37	that could allow remote attackers to create or truncate
38	arbitrary files. The KDE team has found that similar
39	vulnerabilities exists in KDE.
40
41	The telnet, rlogin, ssh and mailto URI handlers in KDE do not
42	check for '-' at the beginning of the hostname passed, which
43	makes it possible to pass an option to the programs started
44	by the handlers.
45
46	The Common Vulnerabilities and Exposures project (cve.mitre.org)
47	has assigned the name CAN-2004-0411 to this issue.
48
49
50	3. Impact:
51
52	A remote attacker could entice a user to open a carefully crafted
53	telnet URI which may either create or truncate a file anywhere
54	where the victim has permission to do so. In KDE 3.2 and later
55	versions the user is first explicitly asked to confirm the opening
56	of the telnet URI.
57
58	A remote attacker could entice a user to open a carefully crafted
59	mailto URI which may start the KMail program with its display
60	redirected to a remote machine under control of the attacker.
61	An attacker can then use this to gain full access to the victims
62	personal files and account.
63
64	An attacker could entice a user to open a carefully crafted
65	mailto URI which may start the KMail program using a configuration
66	file specified by the attacker. If the attacker is able to install
67	arbitrary files somewhere on the machine, the attacker can include
68	commands in the configuration file which will be executed with the
69	privileges of the victim allowing the attacker to gain full access
70	to the victims personal files and account.
71
72	4. Solution:
73
74	Source code patches have been made available which fix these
75	vulnerabilities. Contact your OS vendor / binary package provider
76	for information about how to obtain updated binary packages.
77
78
79	5. Patch:
80
81	Patches for KDE 3.0.5b are available from
82	ftp://ftp.kde.org/pub/kde/security_patches :
83
84	5c573853ec3f426d33c559958baa2169 post-3.0.5b-kdelibs-kapplication.patch
85	eaf9237b3af56b3b01df966b13fe2714 post-3.0.5b-kdelibs-ktelnetservice.patch
86
87	Patches for KDE 3.1.5 are available from
88	ftp://ftp.kde.org/pub/kde/security_patches :
89
90	7c2bda942c4183d4163eb3f47f22e0bc post-3.1.5-kdelibs-kapplication.patch
91	bde52aa0bba055c4f678540ec20bfe5a post-3.1.5-kdelibs-ktelnetservice.patch
92
93	Patches for KDE 3.2.2 are available from
94	ftp://ftp.kde.org/pub/kde/security_patches :
95
96	7cebc1abb3141287db618486fd679b32 post-3.2.2-kdelibs-kapplication.patch
97	52e0e955204a77781505d33b9a3c341d post-3.2.2-kdelibs-ktelnetservice.patch
98
99
100	6. Time line and credits:
101
102	02/04/2003 Exploit acquired by iDEFENSE
103	12/05/2004 Public disclosure of Opera vulnerability
104	13/05/2004 KDE Team informed by Martin Ostertag
105	13/05/2004 Patches created
106	14/05/2004 Vendors notified
107	14/05/2004 Patches created for mailto problem.
108	17/05/2004 Public advisory
109
110	-----BEGIN PGP SIGNATURE-----
111	Version: GnuPG v1.2.2 (GNU/Linux)
112
113	iD8DBQFAqJGON4pvrENfboIRAms1AJ4hAlt1Hq1Ar41XDmYnmOx4U9BnVQCcD5UY
114	4lO8evQJXo5R0Z9BGjkUXZQ=
115	=rj5C
116	-----END PGP SIGNATURE-----
117	_______________________________________________
118	kde-announce mailing list
119	kde-announce@×××.org
120	https://mail.kde.org/mailman/listinfo/kde-announce
121
122
123	--
124	gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security