1 |
Hi. |
2 |
|
3 |
This was just announced. |
4 |
|
5 |
I've opened a bug for it as well: |
6 |
http://bugs.gentoo.org/show_bug.cgi?id=51274 |
7 |
|
8 |
|
9 |
-----Forwarded Message----- |
10 |
From: Waldo Bastian <bastian@×××.org> |
11 |
To: kde-announce@×××.org, bugtraq@×××××××××××××.com |
12 |
Cc: security@×××.org, kde-packager@×××.org, vendor-sec@×××.de |
13 |
Subject: [kde-announce] KDE Security Advisory: URI Handler Vulnerabilities |
14 |
Date: Mon, 17 May 2004 13:02:01 +0200 |
15 |
|
16 |
-----BEGIN PGP SIGNED MESSAGE----- |
17 |
Hash: SHA1 |
18 |
|
19 |
KDE Security Advisory: URI Handler Vulnerabilities |
20 |
Original Release Date: 2004-05-17 |
21 |
URL: http://www.kde.org/info/security/advisory-20040517-1.txt |
22 |
|
23 |
0. References |
24 |
|
25 |
http://www.idefense.com/application/poi/display?id=104 |
26 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411 |
27 |
http://www.securityfocus.com/archive/1/363225 |
28 |
|
29 |
1. Systems affected: |
30 |
|
31 |
All versions of KDE up to KDE 3.2.2 inclusive. |
32 |
|
33 |
|
34 |
2. Overview: |
35 |
|
36 |
iDEFENSE identified a vulnerability in the Opera Web Browser |
37 |
that could allow remote attackers to create or truncate |
38 |
arbitrary files. The KDE team has found that similar |
39 |
vulnerabilities exists in KDE. |
40 |
|
41 |
The telnet, rlogin, ssh and mailto URI handlers in KDE do not |
42 |
check for '-' at the beginning of the hostname passed, which |
43 |
makes it possible to pass an option to the programs started |
44 |
by the handlers. |
45 |
|
46 |
The Common Vulnerabilities and Exposures project (cve.mitre.org) |
47 |
has assigned the name CAN-2004-0411 to this issue. |
48 |
|
49 |
|
50 |
3. Impact: |
51 |
|
52 |
A remote attacker could entice a user to open a carefully crafted |
53 |
telnet URI which may either create or truncate a file anywhere |
54 |
where the victim has permission to do so. In KDE 3.2 and later |
55 |
versions the user is first explicitly asked to confirm the opening |
56 |
of the telnet URI. |
57 |
|
58 |
A remote attacker could entice a user to open a carefully crafted |
59 |
mailto URI which may start the KMail program with its display |
60 |
redirected to a remote machine under control of the attacker. |
61 |
An attacker can then use this to gain full access to the victims |
62 |
personal files and account. |
63 |
|
64 |
An attacker could entice a user to open a carefully crafted |
65 |
mailto URI which may start the KMail program using a configuration |
66 |
file specified by the attacker. If the attacker is able to install |
67 |
arbitrary files somewhere on the machine, the attacker can include |
68 |
commands in the configuration file which will be executed with the |
69 |
privileges of the victim allowing the attacker to gain full access |
70 |
to the victims personal files and account. |
71 |
|
72 |
4. Solution: |
73 |
|
74 |
Source code patches have been made available which fix these |
75 |
vulnerabilities. Contact your OS vendor / binary package provider |
76 |
for information about how to obtain updated binary packages. |
77 |
|
78 |
|
79 |
5. Patch: |
80 |
|
81 |
Patches for KDE 3.0.5b are available from |
82 |
ftp://ftp.kde.org/pub/kde/security_patches : |
83 |
|
84 |
5c573853ec3f426d33c559958baa2169 post-3.0.5b-kdelibs-kapplication.patch |
85 |
eaf9237b3af56b3b01df966b13fe2714 post-3.0.5b-kdelibs-ktelnetservice.patch |
86 |
|
87 |
Patches for KDE 3.1.5 are available from |
88 |
ftp://ftp.kde.org/pub/kde/security_patches : |
89 |
|
90 |
7c2bda942c4183d4163eb3f47f22e0bc post-3.1.5-kdelibs-kapplication.patch |
91 |
bde52aa0bba055c4f678540ec20bfe5a post-3.1.5-kdelibs-ktelnetservice.patch |
92 |
|
93 |
Patches for KDE 3.2.2 are available from |
94 |
ftp://ftp.kde.org/pub/kde/security_patches : |
95 |
|
96 |
7cebc1abb3141287db618486fd679b32 post-3.2.2-kdelibs-kapplication.patch |
97 |
52e0e955204a77781505d33b9a3c341d post-3.2.2-kdelibs-ktelnetservice.patch |
98 |
|
99 |
|
100 |
6. Time line and credits: |
101 |
|
102 |
02/04/2003 Exploit acquired by iDEFENSE |
103 |
12/05/2004 Public disclosure of Opera vulnerability |
104 |
13/05/2004 KDE Team informed by Martin Ostertag |
105 |
13/05/2004 Patches created |
106 |
14/05/2004 Vendors notified |
107 |
14/05/2004 Patches created for mailto problem. |
108 |
17/05/2004 Public advisory |
109 |
|
110 |
-----BEGIN PGP SIGNATURE----- |
111 |
Version: GnuPG v1.2.2 (GNU/Linux) |
112 |
|
113 |
iD8DBQFAqJGON4pvrENfboIRAms1AJ4hAlt1Hq1Ar41XDmYnmOx4U9BnVQCcD5UY |
114 |
4lO8evQJXo5R0Z9BGjkUXZQ= |
115 |
=rj5C |
116 |
-----END PGP SIGNATURE----- |
117 |
_______________________________________________ |
118 |
kde-announce mailing list |
119 |
kde-announce@×××.org |
120 |
https://mail.kde.org/mailman/listinfo/kde-announce |
121 |
|
122 |
|
123 |
-- |
124 |
gentoo-security@g.o mailing list |