Bug 178606

Summary: kdelibs multiple vulnerabilities (CAN-2005-0396, CAN-2005-0237, CAN-2005-0365, CAN-2005-1046, CAN-2005-1920, CVE-2006-0019)
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: kdelibsAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: high    
Version: unspecifiedCC: pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical, LEGACY, rh73, rh90, 1, 2, 3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-17 00:50:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 179804    
Attachments:
Description Flags
Listing of bunch of other KDE vulnerabilities for multiple KDE components
none
Comment 6 as originally created that will PGP verify. none

Description David Eisenstein 2006-01-22 12:31:49 UTC 
+++ This bug was initially created as a clone of Bug #177618 +++

The KDE security team reported:

A heap overflow flaw was discovered affecting kjs, the Javascript
interpreter engine used by Konqueror and other parts of KDE. An attacker
who is able to execute javascript code could trigger this flaw potentially
leading to arbitrary code execution. The Common Vulnerabilities and
Exposures project assigned the name CAN-2006-0019 to this issue.

This issue does not affect RHEL2.1 or RHEL3

Embargoed until January 19th 2006

-- Additional comment from bugzilla on 2006-01-19 12:47 EST --

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0184.html


-- Additional comment from updates.com on 2006-01-20 11:56 EST --
From User-Agent: XML-RPC

kdelibs-3.5.0-0.4.fc4 has been pushed for FC4, which should resolve this issue.
 If these problems are still present in this version, then please make note of
it in this bug report.
Comment 1 David Eisenstein 2006-01-22 12:35:50 UTC 
This bug affects Fedora Core 2 and Fedora Core 3 versions of kdelibs.

Reference:
Comment 2 David Eisenstein 2006-01-22 15:05:03 UTC 
The Red Hat Security Team rated this a critical vulnerability.

Reference:
   <http://www.kde.org/info/security/advisory-20060119-1.txt>

"5. Patch:

        Patch for KDE 3.4.0 - 3.5.0 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        ecc0ec13ce3b06e94e35aa8e937e02bf  post-3.4.3-kdelibs-kjs.diff

        Patch for KDE 3.2.0 - 3.3.2 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        9bca9b44ca2d84e3b2f85ffb5d30e047  post-3.2.3-kdelibs-kjs.diff"
Comment 3 David Eisenstein 2006-01-22 15:13:21 UTC 
Created attachment 123541 [details]
Listing of bunch of other KDE vulnerabilities for multiple KDE components

Oh dear.

There are a *whole* *bunch* of other KDE vulnerabilities that Fedora Legacy
has not yet addressed, having been discovered since the last time we 
published any KDE updates in February, 2005.  A listing of them is attached.

Shall we fix all of them (including this one), or just this one?  I'd appre-
ciate your input on this.  Thanks.
    -David
Comment 4 Marc Deslauriers 2006-01-22 18:42:19 UTC 
I think we should fix them all (at least those that RH fixed...). Only one QA to
do, only one VERIFY to get...
Comment 5 David Eisenstein 2006-02-03 09:31:28 UTC 
These vulnerabilities affect kdelibs versions in Legacy distros:

CAN-2005-0396 - "Desktop Communication Protocol (DCOP) daemon, aka 
dcopserver, in KDE before 3.4 allows local users to cause a denial of 
service  (dcopserver consumption) by 'stalling the DCOP authentication 
process.'"   Affects RHL 7.3, RHL 9, FC1 & FC2.
    Ref: <http://www.kde.org/info/security/advisory-20050316-1.txt>

CAN-2005-0237 - "The International Domain Name (IDN) support in Konqueror
3.2.1 on KDE 3.2.1 allows remote attackers to spoof domain names using
punycode encoded domain names that are decoded in URLs and SSL certificates
in a way that uses homograph characters from other character sets, which
facilitates phishing attacks."  Affects FC2 only.
    Ref: <http://www.kde.org/info/security/advisory-20050316-2.txt>

CAN-2005-0365 - "The dcopidlng script in KDE 3.2.x and 3.3.x creates
temporary files with predictable filenames, which allows local users to
overwrite arbitrary files via a symlink attack."  Affects FC2 only.
    Ref: <http://www.kde.org/info/security/advisory-20050316-3.txt>

CAN-2005-1046 - "Buffer overflow in the kimgio library for KDE 3.4.0
allows remote attackers to execute arbitrary code via a crafted PCX image
file."  Affects FC2 only.
    Ref: <http://www.kde.org/info/security/advisory-20050421-1.txt>,
         <http://www.kde.org/info/security/advisory-20050504-1.txt>.

CAN-2005-1920 - "The (1) Kate and (2) Kwrite applications in KDE
3.2.x through 3.4.0 do not properly set the same permissions on the
backup file as were set on the original file, which could allow local
users and possibly remote attackers to obtain sensitive information."
Affects FC2 only.
    Ref: <http://www.kde.org/info/security/advisory-20050718-1.txt>

CVE-2006-0019 (already mentioned) - "Heap-based buffer overflow in the
encodeURI and decodeURI functions in the kjs JavaScript interpreter
engine in KDE 3.2.0 through 3.5.0 allows remote attackers to execute
arbitrary code via a crafted, UTF-8 encoded URI."  Affects FC2 & FC3.
    Ref: <http://www.kde.org/info/security/advisory-20060119-1.txt>.

Also see attachment 124098 [details] for summary info on these vulnerabilities.
Comment 6 David Eisenstein 2006-02-15 08:50:04 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are FC2 and FC3 source RPM packages to test for PUBLISH for kdelibs.
RHL 7.3, RHL 9, and FC1 packages should soon follow.  The FC2 and FC3
packages take care of the critical CVE-2006-0019 kdj JavaScript bug, and
are the only two of the five distros that are affected by that bug.

Please note that the patch for FC2's kimgio input validation vulnerability
(CAN-2005-1046) was taken from a SUSE package, rather than from upstream.  
The upstream patches for this vulnerability at 
<ftp://ftp.kde.org/pub/kde/security_patches/post-3.3.2-kdelibs-kimgio-fixed.diff>
do not apply to FC2's kdelibs-3.2.2-14.FC2 package.

I compared SUSE's patch to the upstream, and they are the same patch,
except the SUSE one is back-ported to not patch source files that do not
appear in SUSE's kdelibs3 version 3.2.1 sources.  Details about where the
SUSE patch was obtained are in the first few lines of the patch file itself
inside the .src.rpm, "post-3.3.2-kdelibs-kimgio-from-SUSE.diff".

FC2:
========= SHA1SUM ======================  ======== PACKAGE =================
all at
http://petra.fedoralegacy.org/logs/fedora-2-core/71-kdelibs-3.2.2-14.FC2.2.legacy/i386/

Source:
43afa7d1306caa8c2f3430d07d4e8643f9637a36__kdelibs-3.2.2-14.FC2.2.legacy.src.rpm

i386 Binaries:
33ba5bf99afcbc6126717322e6ae75c8faa36c8f__kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm
06f6f7a8a959fae61c21fa31e1bb0cf73179ab71__kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm


FC3:
========= SHA1SUM ======================  ======== PACKAGE =================

Source:
http://petra.fedoralegacy.org/logs/fedora-3-core/34-kdelibs-3.4.2-1.fc3.1.legacy/i386/
de4206616ed443f8af14f9e50b40e52bac96fcd7__kdelibs-3.4.2-1.fc3.1.legacy.src.rpm

i386 Binaries:
http://petra.fedoralegacy.org/logs/fedora-3-core/34-kdelibs-3.4.2-1.fc3.1.legacy/i386/
80e8dde5da4bde15317382b51d7ab140b6114db8__kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
d85bd8014904f22950113d1d341a5657c1571755__kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm

x86_64 Binaries:
http://petra.fedoralegacy.org/logs/fedora-3-core/34-kdelibs-3.4.2-1.fc3.1.legacy/x86_64/
8fc8049f3237eb5d77066d0d1dde9fa5077854af__kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm
9f81a09f1e524a998fbaa59adf97494f5be3bd2d__kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm


Changelogs:
- -----------
FC2:
* Tue Feb 14 2006 David Eisenstein <deisenst> 6:3.2.2-14.FC2.2.legacy
- - Make slight mod to Konqueror IDN patch, changing the paths in the patch,
  so it will apply correctly.
                                                                               
                
* Tue Feb 14 2006 David Eisenstein <deisenst> 6:3.2.2-14.FC2.1.legacy
- - Applied patch for Konqueror International Domain Name Spoofing,
  CAN-2005-0237, #178606
- - Patch for kimgio input validation errors, CAN-2005-1046, #178606
- - Patch for Kate backup file permission leak, CAN-2005-1920, #178606
- - Add critical patch for kjs encodeuri/decodeuri heap overflow vulnerability,
  CVE-2006-0019, #178606.
                                                                               
                
FC3:
* Wed Feb 08 2006 David Eisenstein <deisenst> 6:3.4.2-1.fc3.1.legacy
- - Add fix for CVE-2006-0019, kjs encodeuri/decodeuri heap overflow vulnerability
  Bug #178606.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFD8ut9xou1V/j9XZwRArb+AJ4rF1torrabWG4g8ARRPkEI/3FVewCeNUfv
I7veDlZ9jyONVY5/9u4qQhM=
=llFZ
-----END PGP SIGNATURE-----
Comment 7 David Eisenstein 2006-02-15 09:15:35 UTC 
Created attachment 124668 [details]
Comment 6 as originally created that will PGP verify.
Comment 8 David Eisenstein 2006-02-26 14:25:53 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are RHL 7.3, RHL 9, and FC1 source RPM packages to test for PUBLISH
for kdelibs.

All rpms are at http://fedoralegacy.org/contrib/kdelibs/

========= SHA1SUM ======================  ======== PACKAGE =================

RHL 7.3:
Source:
cbc5c156d683c55c55644b5c33d9033c9b9e32f4__kdelibs-3.0.5a-0.73.7.legacy.src.rpm

i386 Binaries:
bf1c8b4676a66d60b37019d0e3c252ffa4b29646__kdelibs-3.0.5a-0.73.7.legacy.i386.rpm
ca9409387f32076804e7954d2eb1dc1e3008edd9__kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm

RHL 9:
Source:
5409135b34be2851c1750e4187e317da5346614c__kdelibs-3.1-17.1.legacy.src.rpm

i386 Binaries:
2f7dcf887d87b0701659a74c0539844e9ebc2e92__kdelibs-3.1-17.1.legacy.i386.rpm
928fac746e07eb8f7f6015e95bf26405d482c058__kdelibs-devel-3.1-17.1.legacy.i386.rpm

FC1:
Source:
9d3829a8afa39604dea5d050b359a48bc11ee135__kdelibs-3.1.4-9.FC1.1.legacy.src.rpm

i386 Binaries:
b7b98435a7766215327bd6d6e0b9d496e9aadb4e__kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm
b651dc4b07cfd25c775260d659f1d19e1ac6c942__kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm


Changelogs:
- -----------
RHL 7.3:
* Fri Feb 23 2006 David Eisenstein <deisenst> 6:3.0.5a-0.73.7.legacy
- - Add patch #26 for CAN-2005-0396, local DCOP denial of service vulnerability.
  Bugzilla #178606.

RHL 9:
* Fri Feb 23 2006 David Eisenstein <deisenst> 6:3.0.5a-0.73.7.legacy
- - Add patch #106 for CAN-2005-0396, local DCOP denial of service
  vulnerability.  Bugzilla #178606.

FC1:
* Fri Feb 24 2006 David Eisenstein <deisenst> 6:3.1.4-9.FC1.1.legacy
- - Add patch #107 for CAN-2005-0396, local DCOP denial of service
  vulnerability.  Bugzilla #178606.
                                                                                
Thanks!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEAbsxxou1V/j9XZwRAuukAJsG6OOiBN3omCCxrzklOhmFvikVnACfebpy
qRjOoBzf7smnpuc25cKKvlU=
=Z3d6
-----END PGP SIGNATURE-----
Comment 9 Pekka Savola 2006-02-27 08:40:02 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                              
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from KDE upstream, SUSE or RHEL.
                                                                               
                                              
Was there a particular reason to use 'post-3.2.3-kdelibs-idn.patch' from
KDE?  I noted that RHEL used 'post-3.3.2-kdelibs-idn-2.patch' is slightly
different, but as both are "trusted" sources, this is probably good as it
is..
                                                                               
                                              
+PUBLISH RHL73, RHL9, FC1, FC2, FC3
                                                                               
                                              
cbc5c156d683c55c55644b5c33d9033c9b9e32f4  kdelibs-3.0.5a-0.73.7.legacy.src.rpm
5409135b34be2851c1750e4187e317da5346614c  kdelibs-3.1-17.1.legacy.src.rpm
9d3829a8afa39604dea5d050b359a48bc11ee135  kdelibs-3.1.4-9.FC1.1.legacy.src.rpm
43afa7d1306caa8c2f3430d07d4e8643f9637a36  kdelibs-3.2.2-14.FC2.2.legacy.src.rpm
de4206616ed443f8af14f9e50b40e52bac96fcd7  kdelibs-3.4.2-1.fc3.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEArveGHbTkzxSL7QRAreRAJsE2J3pykpWeoSTUY7OS0eM8lolGACeJ230
Fs13RA+Ya4vVvjYQKB5G25Q=
=PTd+
-----END PGP SIGNATURE-----
Comment 10 David Eisenstein 2006-02-27 13:52:00 UTC 
Thanks for the QA, Pekka!  :-)

To answer your question:

(In reply to comment #9)
>                                               
> Was there a particular reason to use 'post-3.2.3-kdelibs-idn.patch' from
> KDE?  I noted that RHEL used 'post-3.3.2-kdelibs-idn-2.patch' is slightly
> different, but as both are "trusted" sources, this is probably good as it
> is..

Well, the Fedora Core 2 version of kdelibs is kdelibs-3.2.2, so I thought
the 'post-3.2.3-...' would apply better than 'post-3.3.2-...'.  The KDE ad-
visory for this issue says:

       "A patch for KDE 3.2.x is available from
        ftp://ftp.kde.org/pub/kde/security_patches

        611bad3cb9ae46ac35b907c7321da7aa  post-3.2.3-kdelibs-idn.patch

        A patch for KDE 3.3.x is available from
        ftp://ftp.kde.org/pub/kde/security_patches

        b92182b7734e4ff145a08d9755448ec7  post-3.3.2-kdelibs-idn-2.patch"

Also, the 'post-3.3.2-...' patch patches to source file kdecore/network/
kresolver.cpp.  There is no such source file in the kdelibs-3.2.2.tar.gz.
Just curious, which RHEL version were you referring to?

Instead of changing the path in the patch, I suppose I could have done a
'pushd-popd' combination surrounding the patch instruction for this patch
in the specfile to do the same thing; but that didn't occur to me until
after I'd already submitted and signed the sources.  Guess what I did
was okay, else you wouldn't have given a PUBLISH vote for it.  ;-)
   -David
Comment 11 David Eisenstein 2006-02-27 13:57:49 UTC 
Oh, Marc.  All these packages were built on either petra or jane.  All of 
the binaries are directly from one or another, signed by me.

How do we need to handle pushing these to updates-testing?  Are you okay with
using the binaries I made, or do you prefer to recompile them yourself, or ...?
Comment 12 Marc Deslauriers 2006-03-02 01:15:29 UTC 
Your binaries are fine David.

Packages were pushed to updates-testing.
Comment 13 Pekka Savola 2006-03-02 08:04:20 UTC 
Timeout in 2 weeks.
Comment 14 Pekka Savola 2006-03-16 05:42:00 UTC 
Timeout over.
Comment 15 Marc Deslauriers 2006-03-17 00:50:07 UTC 
Packages were pushed to updates.
Comment 16 David Eisenstein 2006-03-20 07:43:29 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just for a matter of completeness and verification, I installed:

b7b98435a7766215327bd6d6e0b9d496e9aadb4e__kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm

from comment #8 on my FC1 system (this is the same binary package as was
published to updates-testing -> updates, except the latter were signed with
the Fedora Legacy key), and they work just fine on my system.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEHl48xou1V/j9XZwRAvwsAJ9t425BSU2KrEoHkSzdxV29lpxVigCeOm5+
zOu+IlXYjjI6e92vytADZVs=
=sqst
-----END PGP SIGNATURE-----