Bug 152686 - CAN-2004-0411,0592 kdelibs flaws
CAN-2004-0411,0592 kdelibs flaws
Status: CLOSED DUPLICATE of bug 152769
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.kde.org/
LEGACY, rh73
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-11 07:04 EST by David Lawrence
Modified: 2014-01-21 17:51 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 18:51:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:23:59 EST
Flaws have been found in the cookie path handling between a number of Web
browsers and servers. The HTTP cookie standard allows a Web server
supplying a cookie to a client to specify a subset of URLs on the origin
server to which the cookie applies. Web servers such as Apache do not
filter returned cookies and assume that the client will only send back
cookies for requests that fall within the server-supplied subset of URLs.
However, by supplying URLs that use path traversal (/../) and character
encoding, it is possible to fool many browsers into sending a cookie to a
path outside of the originally-specified subset.



http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0592
https://rhn.redhat.com/errata/RHSA-2004-075.html



------- Additional Comments From bugs.michael@gmx.net 2004-03-11 14:49:58 ----

rh73:

http://www.fedoralegacy.org/contrib/kde/kdelibs-3.0.5a-0.73.3.legacy.src.rpm
http://www.fedoralegacy.org/contrib/kde/kdelibs-3.0.5a-0.73.3.legacy.i386.rpm
http://www.fedoralegacy.org/contrib/kde/kdelibs-devel-3.0.5a-0.73.3.legacy.i386.rpm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

f7836682de929906bd1361382ccc2a0bbc41630a  kdelibs-3.0.5a-0.73.3.legacy.src.rpm

254fd2cda09e3a5fe851076c34c48568fc9b23e8  kdelibs-3.0.5a-0.73.3.legacy.i386.rpm
867bffd11f91da9023d56acc0fe174dca966d9a7 
kdelibs-devel-3.0.5a-0.73.3.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAUQjs0iMVcrivHFQRAqbmAJ9Z2zDYsAKJglQcb9Qbc9+D/5644QCdGo9X
FjNeSrUfb7Y34ukjlglO4ww=
=JXly
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating@j2solutions.net 2004-05-18 18:29:07 ----

I don't suppose there is any chance in getting some help with applying this
patch to 7.2/8.0?

7.2:  kdelibs-2.2.2-9.src.rpm

8.0:  kdelibs-3.0.3-8.src.rpm



------- Additional Comments From barryn@pobox.com 2004-05-20 03:58:04 ----

Another kdelibs vulnerability:
https://rhn.redhat.com/errata/RHSA-2004-222.html

BTW, kdelibs-2.2.2-11.src.rpm from RHEL 2.1 could be used to do the 7.2 update,
if Fedora Legacy is going to continue 7.2 support.



------- Additional Comments From michal@harddata.com 2004-05-20 19:39:19 ----

Created an attachment (id=681)
proposed rh7.3 and rh9 patches for the latest issues in kdelibs

These patches address issues mentioned in comment #3 and were created
by "eye-balling" sources for kdelibs-3.0.5a-0.73.3.legacy and 
post-3.1.5-kdelibs-ktelnetservice.patch, post-3.1.5-kdelibs-kapplication.patch 

from kdelibs-3.1.4-5 (FC1 update). Not compiled so far!

The same patch applies to kdelibs-3.1-13 from RH9 (with an offset of -41 lines
in the second chunk).




------- Additional Comments From marcdeslauriers@videotron.ca 2004-06-08 17:50:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are 7.3 and 9 rpms.
They include patches for CAN-2003-0592 and CAN-2004-0411.
Michal's patch was good, and it matched upstream.

Changelog:
* Tue Jun 08 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
6:3.0.5a-0.73.4.legacy
- - CAN-2004-0411 security patch
- - (KDE Telnet URI Handler File Vulnerability)
- - (Vulnerability in the mailto handler)

7.3:
eb795c1b63dcc12edda1b3746bf10c59499a2e9e  kdelibs-3.0.5a-0.73.4.legacy.i386.rpm
ba3cce2161577f68004bf06b5ea2c43ff1c28e7d  kdelibs-3.0.5a-0.73.4.legacy.src.rpm
07c2f5997b9a212ca43c6c7014714c5f6e2dadfa 
kdelibs-devel-3.0.5a-0.73.4.legacy.i386.rpm

9:
926c2fce4e4ac819b64883abbc6682bfa5b8fbea  kdelibs-3.1-14.legacy.i386.rpm
ebe76925e224f5f2e312814f5f7fb24fc6030fb6  kdelibs-3.1-14.legacy.src.rpm
2aecba9849275f4c3ab6b6ecd9c4aef246a1692c  kdelibs-devel-3.1-14.legacy.i386.rpm

Packages will be available here as soon as our shitty DSL line comes backup up:
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdelibs-3.0.5a-0.73.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdelibs-3.0.5a-0.73.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdelibs-devel-3.0.5a-0.73.4.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdelibs-3.1-14.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdelibs-3.1-14.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdelibs-devel-3.1-14.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAxojsLMAs/0C4zNoRAiR/AJ9gwTCRrROT3Xkf1BOEWZf1H95nWQCcDnig
pHprJ3WQPw9YZ3VThh4GeQY=
=jSpO
-----END PGP SIGNATURE-----




------- Additional Comments From jp107@damtp.cam.ac.uk 2004-06-09 06:07:52 ----

RH80 updates (mine) not official legacy can be found at:

http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/SRPMS/kdelibs-3.0.5a-6.80.1JSP.src.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kdelibs-3.0.5a-6.80.1JSP.i386.rpm
http://www.damtp.cam.ac.uk/user/jp107/rh80-updates/RPMS/i386/kdelibs-devel-3.0.5a-6.80.1JSP.i386.rpm

I could describe the patch but you can just look at the srpm if you want.  We
have been running this version since May 19th.





------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-10 07:37:15 ----

This bug has been superseded by bug 2008



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-28 15:40:42 ----

Packages in bug 2008 were released to updates-testing



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:23 -------

This bug previously known as bug 1373 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1373
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
proposed rh7.3 and rh9 patches for the latest issues in kdelibs
https://bugzilla.fedora.us/attachment.cgi?action=view&id=681

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was jonny.strom@netikka.fi.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 18:51:43 EDT

*** This bug has been marked as a duplicate of 152769 ***

Note You need to log in before you can comment on or make changes to this bug.