[gentoo-announce] [ GLSA 200405-11 ] KDE URI Handler Vulnerabilities - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200405-11 ] KDE URI Handler Vulnerabilities
Date:	Wed, 19 May 2004 18:45:55
Message-Id:	`40ABAB27.3090604@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200405-11

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: KDE URI Handler Vulnerabilities

12

      Date: May 19, 2004

13

      Bugs: #51276

14

        ID: 200405-11

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Vulnerabilities in KDE URI handlers makes your system vulnerable to

22

various attacks.

23

24

Background

25

==========

26

27

The K Desktop Environment (KDE) is a powerful Free Software graphical

28

desktop environment. KDE makes use of URI handlers to trigger various

29

programs when specific URLs are received.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package           /   Vulnerable   /                   Unaffected

36

    -------------------------------------------------------------------

37

  1  kde-base/kdelibs       <= 3.2.2                       >= 3.2.2-r1

38

                                                            = 3.1.5-r1

39

40

Description

41

===========

42

43

The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for

44

'-' at the beginning of the hostname passed. By crafting a malicious

45

URI and entice an user to click on it, it is possible to pass an option

46

to the programs started by the handlers (typically telnet, kmail...).

47

48

Impact

49

======

50

51

If the attacker controls the options passed to the URI handling

52

programs, it becomes possible for example to overwrite arbitrary files

53

(possibly leading to denial of service), to open kmail on an

54

attacker-controlled remote display or with an alternate configuration

55

file (possibly leading to control of the user account).

56

57

Workaround

58

==========

59

60

There is no known workaround at this time. All users are advised to

61

upgrade to a corrected version of kdelibs.

62

63

Resolution

64

==========

65

66

Users of KDE 3.1 should upgrade to the corrected version of kdelibs:

67

68

    # emerge sync

69

70

    # emerge -pv "=kde-base/kdelibs-3.1.5-r1"

71

    # emerge "=kde-base/kdelibs-3.1.5-r1"

72

73

Users of KDE 3.2 should upgrade to the latest available version of

74

kdelibs:

75

76

    # emerge sync

77

78

    # emerge -pv ">=kde-base/kdelibs-3.2.2-r1"

79

    # emerge ">=kde-base/kdelibs-3.2.2-r1"

80

81

References

82

==========

83

84

  [ 1 ] CAN-2004-0411

85

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411

86

87

Availability

88

============

89

90

This GLSA and any updates to it are available for viewing at

91

the Gentoo Security Website:

92

93

     http://security.gentoo.org/glsa/glsa-200405-11.xml

94

95

Concerns?

96

=========

97

98

Security is a primary focus of Gentoo Linux and ensuring the

99

confidentiality and security of our users machines is of utmost

100

importance to us. Any security concerns should be addressed to

101

security@g.o or alternatively, you may file a bug at

102

http://bugs.gentoo.org.

103

104

License

105

=======

106

107

Copyright 2004 Gentoo Technologies, Inc; referenced text

108

belongs to its owner(s).

109

110

The contents of this document are licensed under the

111

Creative Commons - Attribution / Share Alike license.

112

113

http://creativecommons.org/licenses/by-sa/1.0

114

115

-----BEGIN PGP SIGNATURE-----

116

Version: GnuPG v1.2.4 (GNU/Linux)

117

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

118

119

iD8DBQFAq6smvcL1obalX08RAnsHAJ9JujLy3rqD9jAs2Vd3tolixpNC4ACgkIRQ

120

oLelfLCdwMwzl6EY7bYjmds=

121

=9syG

122

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200405-11
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: KDE URI Handler Vulnerabilities
12	Date: May 19, 2004
13	Bugs: #51276
14	ID: 200405-11
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Vulnerabilities in KDE URI handlers makes your system vulnerable to
22	various attacks.
23
24	Background
25	==========
26
27	The K Desktop Environment (KDE) is a powerful Free Software graphical
28	desktop environment. KDE makes use of URI handlers to trigger various
29	programs when specific URLs are received.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 kde-base/kdelibs <= 3.2.2 >= 3.2.2-r1
38	= 3.1.5-r1
39
40	Description
41	===========
42
43	The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for
44	'-' at the beginning of the hostname passed. By crafting a malicious
45	URI and entice an user to click on it, it is possible to pass an option
46	to the programs started by the handlers (typically telnet, kmail...).
47
48	Impact
49	======
50
51	If the attacker controls the options passed to the URI handling
52	programs, it becomes possible for example to overwrite arbitrary files
53	(possibly leading to denial of service), to open kmail on an
54	attacker-controlled remote display or with an alternate configuration
55	file (possibly leading to control of the user account).
56
57	Workaround
58	==========
59
60	There is no known workaround at this time. All users are advised to
61	upgrade to a corrected version of kdelibs.
62
63	Resolution
64	==========
65
66	Users of KDE 3.1 should upgrade to the corrected version of kdelibs:
67
68	# emerge sync
69
70	# emerge -pv "=kde-base/kdelibs-3.1.5-r1"
71	# emerge "=kde-base/kdelibs-3.1.5-r1"
72
73	Users of KDE 3.2 should upgrade to the latest available version of
74	kdelibs:
75
76	# emerge sync
77
78	# emerge -pv ">=kde-base/kdelibs-3.2.2-r1"
79	# emerge ">=kde-base/kdelibs-3.2.2-r1"
80
81	References
82	==========
83
84	[ 1 ] CAN-2004-0411
85	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411
86
87	Availability
88	============
89
90	This GLSA and any updates to it are available for viewing at
91	the Gentoo Security Website:
92
93	http://security.gentoo.org/glsa/glsa-200405-11.xml
94
95	Concerns?
96	=========
97
98	Security is a primary focus of Gentoo Linux and ensuring the
99	confidentiality and security of our users machines is of utmost
100	importance to us. Any security concerns should be addressed to
101	security@g.o or alternatively, you may file a bug at
102	http://bugs.gentoo.org.
103
104	License
105	=======
106
107	Copyright 2004 Gentoo Technologies, Inc; referenced text
108	belongs to its owner(s).
109
110	The contents of this document are licensed under the
111	Creative Commons - Attribution / Share Alike license.
112
113	http://creativecommons.org/licenses/by-sa/1.0
114
115	-----BEGIN PGP SIGNATURE-----
116	Version: GnuPG v1.2.4 (GNU/Linux)
117	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
118
119	iD8DBQFAq6smvcL1obalX08RAnsHAJ9JujLy3rqD9jAs2Vd3tolixpNC4ACgkIRQ
120	oLelfLCdwMwzl6EY7bYjmds=
121	=9syG
122	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce