Bug 961981 (CVE-2013-2074)

Summary: CVE-2013-2074 kdelibs: prints passwords contained in HTTP URLs in error messages
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jgrulich, jreznik, kevin, ovasik, rdieter, smparrish, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 11:00:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 961982, 962001    
Bug Blocks:    

Description Vincent Danen 2013-05-10 21:26:00 UTC 
It was reported [1] that when KDE encounters an "internal server error" and also prints out the URL that caused the error that it would include the username and password (if supplied) to the resource that caused the error.  For instance, it would show "https://user:password@remotehost.com" or similar.  This is due to kioslave/http/http.cpp using m_request.url.url() rather than the sanitized m_request.url.prettyUrl().  This issue is fixed in git [2].

Note that this information is printed out to the local user actively using the computer.

[1] https://bugs.kde.org/show_bug.cgi?id=319428
[2] https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp
Comment 1 Vincent Danen 2013-05-10 21:27:11 UTC 
Created kdelibs tracking bugs for this issue

Affects: fedora-all [bug 961982]
Comment 2 Vincent Danen 2013-05-10 22:16:12 UTC 
This seems to go back as far as KDE3:

vdanen@cerberus:~/cvs-scratch/rhel/kdelibs/rhel-5.9/kdelibs-3.5.4/kioslave/http/ >% grep -n error http.cc|grep 'url.url'
2215:        error( ERR_DOES_NOT_EXIST, m_request.url.url() );
2220:        error( ERR_COULD_NOT_CONNECT, m_request.url.url() );
2894:              error(ERR_INTERNAL_SERVER, m_request.url.url());
2934:          error(ERR_DOES_NOT_EXIST, m_request.url.url());
Comment 4 Vincent Danen 2013-05-10 22:21:15 UTC 
Created kdelibs3 tracking bugs for this issue

Affects: fedora-all [bug 962001]
Comment 5 Vincent Danen 2013-05-11 05:23:56 UTC 
As per http://www.openwall.com/lists/oss-security/2013/05/11/2 this was assigned CVE-2013-2074.
Comment 6 Than Ngo 2013-05-13 16:25:28 UTC 
the fix was already committed into fedora branch
Comment 7 Fedora Update System 2013-05-27 03:28:00 UTC 
kdelibs3-3.5.10-53.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-05-29 00:55:23 UTC 
kdelibs3-3.5.10-53.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-05-29 00:58:17 UTC 
kdelibs3-3.5.10-53.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.