Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) tool did not correctly escape quotes when deleting a directory permanently. Attempting to use KDirStat to permanently delete a directory that has a malicious name could result in arbitrary command execution.
The original report is regarding single quotes. Testing with the Fedora revealed the issue there was with double quotes.
Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659
Created k4dirstat tracking bugs for this issue:
Affects: fedora-all [bug 1077061]
Created kdirstat tracking bugs for this issue:
Affects: fedora-19 [bug 1077060]
CVE request: http://www.openwall.com/lists/oss-security/2014/03/17/2
MITRE assigned CVE-2014-2527 to the issue involving " (the one that affects Fedora)
MITRE assigned CVE-2014-2528 to the issue involving ' (as noted in the Debian report, and fixed via https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp
(In reply to Murray McAllister from comment #4)
> MITRE assigned CVE-2014-2527 to the issue involving " (the one that affects
> MITRE assigned CVE-2014-2528 to the issue involving ' (as noted in the
> Debian report, and fixed via
I did lost "CVE-2014-2527 CVE-2014-2528" from "Summary" but can't found how to resturn this change.
(In reply to Dmitrij S. Kryzhevich from comment #7)
> I did lost "CVE-2014-2527 CVE-2014-2528" from "Summary" but can't found how
> to resturn this change.
Thanks for looking at this. I have put it back in the summary (there is an "edit" button near the title of the page).
For bugs like this one (filed against the Security Response Product), we leave them in the "NEW" state until everywhere is fixed, and don't assign them to people. For the trackers/product specific bugs, such as bug 1077061 and bug 1077060, you can change their state and assign those to yourself.
http://seclists.org/oss-sec/2014/q1/590 has some discussion about the issue. I am unsure if there is a patch yet for the use of " characters :(
I think we could use upstream patch as is ( http://paste.fedoraproject.org/86626/52224521/ )
Gained var "QString expanded" just go to shell in the way it is formatted so there no need to make difference between ' and " in this part of code. Substitution for file/directory name go to the following sting:
rm -rf %p
There are no any spectial signs here.
But still I will run few tests.
And one more. It was a suprise for me that there is a new upstream here ( bitbucket.org/jeromerobert/k4dirstat ).
Too many mistypes. My bad.
Looks like this patch fix all ' and " issues. Will submit as update.
k4dirstat-2.7.0-0.14.20101010git6c0a9e6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
k4dirstat-2.7.0-0.14.20101010git6c0a9e6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.