Bug 178606
Summary: | kdelibs multiple vulnerabilities (CAN-2005-0396, CAN-2005-0237, CAN-2005-0365, CAN-2005-1046, CAN-2005-1920, CVE-2006-0019) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | David Eisenstein <deisenst> | ||||||
Component: | kdelibs | Assignee: | Fedora Legacy Bugs <bugs> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | urgent | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | pekkas | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | impact=critical, LEGACY, rh73, rh90, 1, 2, 3 | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2006-03-17 00:50:07 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 179804 | ||||||||
Attachments: |
|
Description
David Eisenstein
2006-01-22 12:31:49 UTC
This bug affects Fedora Core 2 and Fedora Core 3 versions of kdelibs. Reference: The Red Hat Security Team rated this a critical vulnerability. Reference: <http://www.kde.org/info/security/advisory-20060119-1.txt> "5. Patch: Patch for KDE 3.4.0 - 3.5.0 is available from ftp://ftp.kde.org/pub/kde/security_patches : ecc0ec13ce3b06e94e35aa8e937e02bf post-3.4.3-kdelibs-kjs.diff Patch for KDE 3.2.0 - 3.3.2 is available from ftp://ftp.kde.org/pub/kde/security_patches : 9bca9b44ca2d84e3b2f85ffb5d30e047 post-3.2.3-kdelibs-kjs.diff" Created attachment 123541 [details]
Listing of bunch of other KDE vulnerabilities for multiple KDE components
Oh dear.
There are a *whole* *bunch* of other KDE vulnerabilities that Fedora Legacy
has not yet addressed, having been discovered since the last time we
published any KDE updates in February, 2005. A listing of them is attached.
Shall we fix all of them (including this one), or just this one? I'd appre-
ciate your input on this. Thanks.
-David
I think we should fix them all (at least those that RH fixed...). Only one QA to do, only one VERIFY to get... These vulnerabilities affect kdelibs versions in Legacy distros: CAN-2005-0396 - "Desktop Communication Protocol (DCOP) daemon, aka dcopserver, in KDE before 3.4 allows local users to cause a denial of service (dcopserver consumption) by 'stalling the DCOP authentication process.'" Affects RHL 7.3, RHL 9, FC1 & FC2. Ref: <http://www.kde.org/info/security/advisory-20050316-1.txt> CAN-2005-0237 - "The International Domain Name (IDN) support in Konqueror 3.2.1 on KDE 3.2.1 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks." Affects FC2 only. Ref: <http://www.kde.org/info/security/advisory-20050316-2.txt> CAN-2005-0365 - "The dcopidlng script in KDE 3.2.x and 3.3.x creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack." Affects FC2 only. Ref: <http://www.kde.org/info/security/advisory-20050316-3.txt> CAN-2005-1046 - "Buffer overflow in the kimgio library for KDE 3.4.0 allows remote attackers to execute arbitrary code via a crafted PCX image file." Affects FC2 only. Ref: <http://www.kde.org/info/security/advisory-20050421-1.txt>, <http://www.kde.org/info/security/advisory-20050504-1.txt>. CAN-2005-1920 - "The (1) Kate and (2) Kwrite applications in KDE 3.2.x through 3.4.0 do not properly set the same permissions on the backup file as were set on the original file, which could allow local users and possibly remote attackers to obtain sensitive information." Affects FC2 only. Ref: <http://www.kde.org/info/security/advisory-20050718-1.txt> CVE-2006-0019 (already mentioned) - "Heap-based buffer overflow in the encodeURI and decodeURI functions in the kjs JavaScript interpreter engine in KDE 3.2.0 through 3.5.0 allows remote attackers to execute arbitrary code via a crafted, UTF-8 encoded URI." Affects FC2 & FC3. Ref: <http://www.kde.org/info/security/advisory-20060119-1.txt>. Also see attachment 124098 [details] for summary info on these vulnerabilities. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are FC2 and FC3 source RPM packages to test for PUBLISH for kdelibs. RHL 7.3, RHL 9, and FC1 packages should soon follow. The FC2 and FC3 packages take care of the critical CVE-2006-0019 kdj JavaScript bug, and are the only two of the five distros that are affected by that bug. Please note that the patch for FC2's kimgio input validation vulnerability (CAN-2005-1046) was taken from a SUSE package, rather than from upstream. The upstream patches for this vulnerability at <ftp://ftp.kde.org/pub/kde/security_patches/post-3.3.2-kdelibs-kimgio-fixed.diff> do not apply to FC2's kdelibs-3.2.2-14.FC2 package. I compared SUSE's patch to the upstream, and they are the same patch, except the SUSE one is back-ported to not patch source files that do not appear in SUSE's kdelibs3 version 3.2.1 sources. Details about where the SUSE patch was obtained are in the first few lines of the patch file itself inside the .src.rpm, "post-3.3.2-kdelibs-kimgio-from-SUSE.diff". FC2: ========= SHA1SUM ====================== ======== PACKAGE ================= all at http://petra.fedoralegacy.org/logs/fedora-2-core/71-kdelibs-3.2.2-14.FC2.2.legacy/i386/ Source: 43afa7d1306caa8c2f3430d07d4e8643f9637a36__kdelibs-3.2.2-14.FC2.2.legacy.src.rpm i386 Binaries: 33ba5bf99afcbc6126717322e6ae75c8faa36c8f__kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm 06f6f7a8a959fae61c21fa31e1bb0cf73179ab71__kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm FC3: ========= SHA1SUM ====================== ======== PACKAGE ================= Source: http://petra.fedoralegacy.org/logs/fedora-3-core/34-kdelibs-3.4.2-1.fc3.1.legacy/i386/ de4206616ed443f8af14f9e50b40e52bac96fcd7__kdelibs-3.4.2-1.fc3.1.legacy.src.rpm i386 Binaries: http://petra.fedoralegacy.org/logs/fedora-3-core/34-kdelibs-3.4.2-1.fc3.1.legacy/i386/ 80e8dde5da4bde15317382b51d7ab140b6114db8__kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm d85bd8014904f22950113d1d341a5657c1571755__kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm x86_64 Binaries: http://petra.fedoralegacy.org/logs/fedora-3-core/34-kdelibs-3.4.2-1.fc3.1.legacy/x86_64/ 8fc8049f3237eb5d77066d0d1dde9fa5077854af__kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm 9f81a09f1e524a998fbaa59adf97494f5be3bd2d__kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm Changelogs: - ----------- FC2: * Tue Feb 14 2006 David Eisenstein <deisenst> 6:3.2.2-14.FC2.2.legacy - - Make slight mod to Konqueror IDN patch, changing the paths in the patch, so it will apply correctly. * Tue Feb 14 2006 David Eisenstein <deisenst> 6:3.2.2-14.FC2.1.legacy - - Applied patch for Konqueror International Domain Name Spoofing, CAN-2005-0237, #178606 - - Patch for kimgio input validation errors, CAN-2005-1046, #178606 - - Patch for Kate backup file permission leak, CAN-2005-1920, #178606 - - Add critical patch for kjs encodeuri/decodeuri heap overflow vulnerability, CVE-2006-0019, #178606. FC3: * Wed Feb 08 2006 David Eisenstein <deisenst> 6:3.4.2-1.fc3.1.legacy - - Add fix for CVE-2006-0019, kjs encodeuri/decodeuri heap overflow vulnerability Bug #178606. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFD8ut9xou1V/j9XZwRArb+AJ4rF1torrabWG4g8ARRPkEI/3FVewCeNUfv I7veDlZ9jyONVY5/9u4qQhM= =llFZ -----END PGP SIGNATURE----- Created attachment 124668 [details] Comment 6 as originally created that will PGP verify. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are RHL 7.3, RHL 9, and FC1 source RPM packages to test for PUBLISH for kdelibs. All rpms are at http://fedoralegacy.org/contrib/kdelibs/ ========= SHA1SUM ====================== ======== PACKAGE ================= RHL 7.3: Source: cbc5c156d683c55c55644b5c33d9033c9b9e32f4__kdelibs-3.0.5a-0.73.7.legacy.src.rpm i386 Binaries: bf1c8b4676a66d60b37019d0e3c252ffa4b29646__kdelibs-3.0.5a-0.73.7.legacy.i386.rpm ca9409387f32076804e7954d2eb1dc1e3008edd9__kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm RHL 9: Source: 5409135b34be2851c1750e4187e317da5346614c__kdelibs-3.1-17.1.legacy.src.rpm i386 Binaries: 2f7dcf887d87b0701659a74c0539844e9ebc2e92__kdelibs-3.1-17.1.legacy.i386.rpm 928fac746e07eb8f7f6015e95bf26405d482c058__kdelibs-devel-3.1-17.1.legacy.i386.rpm FC1: Source: 9d3829a8afa39604dea5d050b359a48bc11ee135__kdelibs-3.1.4-9.FC1.1.legacy.src.rpm i386 Binaries: b7b98435a7766215327bd6d6e0b9d496e9aadb4e__kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm b651dc4b07cfd25c775260d659f1d19e1ac6c942__kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm Changelogs: - ----------- RHL 7.3: * Fri Feb 23 2006 David Eisenstein <deisenst> 6:3.0.5a-0.73.7.legacy - - Add patch #26 for CAN-2005-0396, local DCOP denial of service vulnerability. Bugzilla #178606. RHL 9: * Fri Feb 23 2006 David Eisenstein <deisenst> 6:3.0.5a-0.73.7.legacy - - Add patch #106 for CAN-2005-0396, local DCOP denial of service vulnerability. Bugzilla #178606. FC1: * Fri Feb 24 2006 David Eisenstein <deisenst> 6:3.1.4-9.FC1.1.legacy - - Add patch #107 for CAN-2005-0396, local DCOP denial of service vulnerability. Bugzilla #178606. Thanks! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFEAbsxxou1V/j9XZwRAuukAJsG6OOiBN3omCCxrzklOhmFvikVnACfebpy qRjOoBzf7smnpuc25cKKvlU= =Z3d6 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches verified to come from KDE upstream, SUSE or RHEL. Was there a particular reason to use 'post-3.2.3-kdelibs-idn.patch' from KDE? I noted that RHEL used 'post-3.3.2-kdelibs-idn-2.patch' is slightly different, but as both are "trusted" sources, this is probably good as it is.. +PUBLISH RHL73, RHL9, FC1, FC2, FC3 cbc5c156d683c55c55644b5c33d9033c9b9e32f4 kdelibs-3.0.5a-0.73.7.legacy.src.rpm 5409135b34be2851c1750e4187e317da5346614c kdelibs-3.1-17.1.legacy.src.rpm 9d3829a8afa39604dea5d050b359a48bc11ee135 kdelibs-3.1.4-9.FC1.1.legacy.src.rpm 43afa7d1306caa8c2f3430d07d4e8643f9637a36 kdelibs-3.2.2-14.FC2.2.legacy.src.rpm de4206616ed443f8af14f9e50b40e52bac96fcd7 kdelibs-3.4.2-1.fc3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEArveGHbTkzxSL7QRAreRAJsE2J3pykpWeoSTUY7OS0eM8lolGACeJ230 Fs13RA+Ya4vVvjYQKB5G25Q= =PTd+ -----END PGP SIGNATURE----- Thanks for the QA, Pekka! :-) To answer your question: (In reply to comment #9) > > Was there a particular reason to use 'post-3.2.3-kdelibs-idn.patch' from > KDE? I noted that RHEL used 'post-3.3.2-kdelibs-idn-2.patch' is slightly > different, but as both are "trusted" sources, this is probably good as it > is.. Well, the Fedora Core 2 version of kdelibs is kdelibs-3.2.2, so I thought the 'post-3.2.3-...' would apply better than 'post-3.3.2-...'. The KDE ad- visory for this issue says: "A patch for KDE 3.2.x is available from ftp://ftp.kde.org/pub/kde/security_patches 611bad3cb9ae46ac35b907c7321da7aa post-3.2.3-kdelibs-idn.patch A patch for KDE 3.3.x is available from ftp://ftp.kde.org/pub/kde/security_patches b92182b7734e4ff145a08d9755448ec7 post-3.3.2-kdelibs-idn-2.patch" Also, the 'post-3.3.2-...' patch patches to source file kdecore/network/ kresolver.cpp. There is no such source file in the kdelibs-3.2.2.tar.gz. Just curious, which RHEL version were you referring to? Instead of changing the path in the patch, I suppose I could have done a 'pushd-popd' combination surrounding the patch instruction for this patch in the specfile to do the same thing; but that didn't occur to me until after I'd already submitted and signed the sources. Guess what I did was okay, else you wouldn't have given a PUBLISH vote for it. ;-) -David Oh, Marc. All these packages were built on either petra or jane. All of the binaries are directly from one or another, signed by me. How do we need to handle pushing these to updates-testing? Are you okay with using the binaries I made, or do you prefer to recompile them yourself, or ...? Your binaries are fine David. Packages were pushed to updates-testing. Timeout in 2 weeks. Timeout over. Packages were pushed to updates. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just for a matter of completeness and verification, I installed: b7b98435a7766215327bd6d6e0b9d496e9aadb4e__kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm from comment #8 on my FC1 system (this is the same binary package as was published to updates-testing -> updates, except the latter were signed with the Fedora Legacy key), and they work just fine on my system. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFEHl48xou1V/j9XZwRAvwsAJ9t425BSU2KrEoHkSzdxV29lpxVigCeOm5+ zOu+IlXYjjI6e92vytADZVs= =sqst -----END PGP SIGNATURE----- |