Bug 152769 - CAN-2004-0411,0527,0592,0689,0721,0746,1145,1158,1165,1171,2005-0078 - kdelibs and kdebase multiple problems
CAN-2004-0411,0527,0592,0689,0721,0746,1145,1158,1165,1171,2005-0078 - kdelib...
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
1, LEGACY, rh73, rh90
: Security
: 152686 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-23 14:12 EDT by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-15 22:13:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:26:48 EST
CAN-2004-0689:
KDE before 3.3.0 does not properly handle when certain symlinks point to "stale"
locations, which could allow local users to create or truncate arbitrary files.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689
http://www.kde.org/info/security/advisory-20040811-1.txt
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=128693

CAN-2004-0721:
Konqueror 3.1.3, 3.2.2, and possibly other versions does not properly prevent a
frame in one domain from injecting content into a frame that belongs to another
domain, which facilitates web site spoofing and other attacks, aka the frame
injection vulnerability.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721
http://www.kde.org/info/security/advisory-20040811-3.txt
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=128462
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=128463

CAN-2004-0746:
The KDE web browser Konqueror allows websites to set cookies
for certain country specific secondary top level domains.

Web sites operating under the affected domains can set HTTP
cookies in such a way that the Konqueror web browser will send them
to all other web sites operating under the same domain.
A malicious website can use this as part of a session fixation
attack.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0746
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129228
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129234



------- Additional Comments From dom@earth.li 2004-09-07 14:11:35 ----

see also bug 1373.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-10 07:36:28 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated kdelibs and kdebase packages for 7.3 and 9 to QA:

Changelog:
* Thu Sep 09 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
6:3.0.5a-0.73.5.legacy
- - CAN-2004-0689, CAN-2004-0721, CAN-2004-0746 security patches

7.3:
f49983d095fc0cdc8a1b30bfc12476558e0d8ae6  kdebase-3.0.5a-0.73.5.legacy.i386.rpm
61c85ccf7dda963723064644317834acce70d036  kdebase-3.0.5a-0.73.5.legacy.src.rpm
2051a3cfdeb8e3799b3c22438533445dcf719902 
kdebase-devel-3.0.5a-0.73.5.legacy.i386.rpm
fef8afb67d28c03e8dc6a791ccedee03966f858b  kdelibs-3.0.5a-0.73.5.legacy.i386.rpm
700029574dad30fb4c31ae4461f0ee9236fff0c1  kdelibs-3.0.5a-0.73.5.legacy.src.rpm
281dc3054080cd0641bfcbc25cc19d761787932f 
kdelibs-devel-3.0.5a-0.73.5.legacy.i386.rpm

9:
8673eb018d71f400d9651f9bdfcdae154817e95d  kdebase-3.1-16.legacy.i386.rpm
5962d1068f65a81bf5a73ce8f5b72a5c75f43410  kdebase-3.1-16.legacy.src.rpm
29fa9aa65202c4f7e558b1a8dfebe06e40f2cf69  kdebase-devel-3.1-16.legacy.i386.rpm
100c60192745d0b1b7aa9e52841d091ccdddb2dd  kdelibs-3.1-15.legacy.i386.rpm
d40be9c3751d9056c9f870afef5e1b22274cfb1b  kdelibs-3.1-15.legacy.src.rpm
c04bedd66c3456cf1750ef0e0ffafa77ae719be5  kdelibs-devel-3.1-15.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/kdebase-3.0.5a-0.73.5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdebase-3.0.5a-0.73.5.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdebase-devel-3.0.5a-0.73.5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdelibs-3.0.5a-0.73.5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdelibs-3.0.5a-0.73.5.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdelibs-devel-3.0.5a-0.73.5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdebase-3.1-16.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdebase-3.1-16.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdebase-devel-3.1-16.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdelibs-3.1-15.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdelibs-3.1-15.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdelibs-devel-3.1-15.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQeYcLMAs/0C4zNoRAsZVAJ9WDw0yTmsFKqleBLofm8tc3fjThQCgkmdM
7wlasOH+PNCXwybxYoMtIPM=
=p/gn
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-10-04 06:53:34 ----

RHEL erratum: http://rhn.redhat.com/errata/RHSA-2004-412.html



------- Additional Comments From bugzilla.fedora.us@beej.org 2004-12-23 12:36:10 ----

we may be affected by CAN-2004-1145, as well



------- Additional Comments From pekkas@netcore.fi 2004-12-24 01:02:11 ----

Will also need to investigate the following?

CAN-2004-0527  KDE Konqueror 2.1.1 and 2.2.2 allows remote attackers to spoof a 
legitimate URL in the status bar via A HREF tags with modified "alt" values 
that point to the legitimate site, combined with an image map whose href points 
to the malicious site, which facilitates a "phishing" attack.

...

CAN-2004-1165  Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP 
commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before 
the FTP command, which causes the commands to be inserted into the resulting 
FTP session, as demonstrated using a PORT command.  

CAN-2004-1158  Konqueror 3.x up to 3.2.2-6, and possibly other versions, allows 
remote attackers to spoof arbitrary web sites by injecting content from one 
window into a target window or tab whose name is known but resides in a 
different domain, as demonstrated using a pop-up window on a trusted web site, 
aka the "window injection" vulnerability.  

CAN-2004-1171  KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that 
are (1) manually entered by the user or (2) created by the SMB protocol 
handler, stores those credentials for plaintext in the user's .desktop file, 
which may be created with world-readable permissions, which could allow local 
users to obtain usernames and passwords for remote resources such as SMB 
shares.  

...

These latter two vulnerabilities have been fixed in e.g., Mandrake and Gentoo 
updates.  I didn't quickly find a reference to 0527 except the one mentioned in 
CVE: http://www.securityfocus.com/bid/10383.


...

The aforementioned CAN-2004-1145 is:
 http://www.kde.org/info/security/advisory-20041220-1.txt


MDKSA-2004:154 describes aforementioned CAN-2004-1145 as follows:
 A vulnerability in the Konqueror webbrowser was discovered where an
 untrusted java applet could escalate privileges (through JavaScript
 calling into Java code).  This includes the reading and writing of
 files with the privileges of the user running the applet.




------- Additional Comments From bugzilla.fedora.us@beej.org 2005-01-10 09:48:37 ----

also this: http://bugs.kde.org/show_bug.cgi?id=95825

i couldn't find a CVE number for this.



------- Additional Comments From bugzilla.fedora.us@beej.org 2005-01-10 11:03:00 ----

comment 6 can be ignored.  that is CAN-2004-1165.



------- Additional Comments From bugzilla.fedora.us@beej.org 2005-01-31 11:56:02 ----

CAN-2005-0078 is another for the "to be investigated" list



------- Additional Comments From mschout@gkg.net 2005-02-08 18:56:19 ----

CAN-2005-0078 is for kde versions < 3.0.5.

RH 7.3 uses 3.0.5a, and is not vulnerable.  I RH9, FC1 are running versions  >
3.0.5 so we are not vulnerable to this one.



------- Additional Comments From mschout@gkg.net 2005-02-08 18:58:53 ----

More info on CAN-2005-0078:

see http://www.debian.org/security/2005/dsa-660 which says:

This problem has been fixed upstream in KDE 3.0.5

So we are not vulnerable to this one.



------- Additional Comments From pekkas@netcore.fi 2005-02-15 22:45:54 ----

https://rhn.redhat.com/errata/RHSA-2005-009.html



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-17 17:33:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updates packages to QA:

These packages fix CAN-2004-1158 and CAN-2004-1165.

CAN-2004-1171 does not apply to these versions.
CAN-2004-0527 does not apply to these versions.
Nobody seems to have released updates packages for CAN-2004-1145 for kde < 3.2.x.

7.3:
d81bae64f8be2cb4b7ffc673fb6215304f0e803b  kdebase-3.0.5a-0.73.6.legacy.i386.rpm
a4d1dde54b3c5a2f123e7a3e6bc44c89294fcb92  kdebase-3.0.5a-0.73.6.legacy.src.rpm
11bb31983cb9dc23e852b4a46637e7867a7e2508 
kdebase-devel-3.0.5a-0.73.6.legacy.i386.rpm
0f53ddf32477cf773344efe1bb77212af392450f  kdelibs-3.0.5a-0.73.6.legacy.i386.rpm
bdb3a5786f598c98b6fc7762f8ec7c813d385b6f  kdelibs-3.0.5a-0.73.6.legacy.src.rpm
ab321c25234651d7fe71b9b93c47689d995fc8e3 
kdelibs-devel-3.0.5a-0.73.6.legacy.i386.rpm

9:
4995a71ffa01a6961d791dce718dbb90cb30defe  kdebase-3.1-17.legacy.i386.rpm
f43ff7f09a123903192fc657f44ab0b894dbf323  kdebase-3.1-17.legacy.src.rpm
13b4e1c02950cc89ae17dadd4bdab23115c02808  kdebase-devel-3.1-17.legacy.i386.rpm
7d9fd3b20bc0466b8b637c0b97e17153e25de317  kdelibs-3.1-16.legacy.i386.rpm
888c25db2003926851fdcad65a7641544fccde33  kdelibs-3.1-16.legacy.src.rpm
d8b6fedddaa31b60cc10b301c674705448fcd661  kdelibs-devel-3.1-16.legacy.i386.rpm

fc1:
1fcd09643005d9c65685bee277711fba2ff288fc  kdebase-3.1.4-8.legacy.i386.rpm
b2c9f3686b924cf13a4a33990fdd8c981af9a718  kdebase-3.1.4-8.legacy.src.rpm
3aae36541601c4e19f582c4936ce2fe5cc5bfe90  kdebase-devel-3.1.4-8.legacy.i386.rpm
bfa482e0cf9dcf44233378442eb4cce8b40d9fc4  kdelibs-3.1.4-8.legacy.i386.rpm
3bf8244620d2004a056cce73215301a870e1c7a7  kdelibs-3.1.4-8.legacy.src.rpm
a8192aaf508380232ef8d1888777445fa839d006  kdelibs-devel-3.1.4-8.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/kdebase-3.0.5a-0.73.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdebase-3.0.5a-0.73.6.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdebase-devel-3.0.5a-0.73.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdelibs-3.0.5a-0.73.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdelibs-3.0.5a-0.73.6.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/kdelibs-devel-3.0.5a-0.73.6.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdebase-3.1-17.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdebase-3.1-17.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdebase-devel-3.1-17.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdelibs-3.1-16.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdelibs-3.1-16.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/kdelibs-devel-3.1-16.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/kdebase-3.1.4-8.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/kdebase-3.1.4-8.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/kdebase-devel-3.1.4-8.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/kdelibs-3.1.4-8.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/kdelibs-3.1.4-8.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/kdelibs-devel-3.1.4-8.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCFWJuLMAs/0C4zNoRAjOVAKC8nEP4ot2UE43gkUsEYCG5Bn5p0ACeJ3tu
U0wq1TLhLBMrQaeGHEqWkjU=
=Z0wf
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-02-18 07:03:52 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity OK
 - spec file changes good
 - most of the patches easily verifiable from RHEL3
 - a couple of patches in 3.0.5a were verified to come from KDE CVS

bdb3a5786f598c98b6fc7762f8ec7c813d385b6f  kdelibs-3.0.5a-0.73.6.legacy.src.rpm
888c25db2003926851fdcad65a7641544fccde33  kdelibs-3.1-16.legacy.src.rpm
3bf8244620d2004a056cce73215301a870e1c7a7  kdelibs-3.1.4-8.legacy.src.rpm

QA w/ rpm-build-compare.sh
 - source integrity OK
 - spec file changes good
 - most of the patches easily verifiable from RHEL3
 - one patch in RHL73 verified to come from KDE CVS

a4d1dde54b3c5a2f123e7a3e6bc44c89294fcb92  kdebase-3.0.5a-0.73.6.legacy.src.rpm
f43ff7f09a123903192fc657f44ab0b894dbf323  kdebase-3.1-17.legacy.src.rpm
b2c9f3686b924cf13a4a33990fdd8c981af9a718  kdebase-3.1.4-8.legacy.src.rpm

+PUBLISH RHL73,RHL9,FC1 (for both kdebase and kdelibs)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCFh/fGHbTkzxSL7QRAnHrAJ9Y7xcX0x+LXOpsuchc4PvNv96iIACeJUoA
ITaml7jAcQiKI294PK4ii1I=
=cZnE
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-28 15:40:05 ----

Packages were pushed to updates-testing.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:26 -------

This bug previously known as bug 2008 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2008
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-05 18:52:13 EDT
*** Bug 152686 has been marked as a duplicate of this bug. ***
Comment 2 mschout 2005-05-10 17:02:59 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

7.3 Verify:

sha1:
ab6411334132d5802fc3ee5f2fe84f093e4bc2e7  kdebase-3.0.5a-0.73.7.legacy.i386.rpm
56c46a2228202188e3ed7568d920026271c7b50b 
kdebase-devel-3.0.5a-0.73.7.legacy.i386.rpm
150f547193e5c29da348580d5fbd3a073f9ef10e  kdelibs-3.0.5a-0.73.6.legacy.i386.rpm
018101a1b09d9e8f1ce5aef49186385ee5822eaf 
kdelibs-devel-3.0.5a-0.73.6.legacy.i386.rpm

signatures:
kdebase-3.0.5a-0.73.7.legacy.i386.rpm: md5 gpg OK
kdebase-devel-3.0.5a-0.73.7.legacy.i386.rpm: md5 gpg OK
kdelibs-3.0.5a-0.73.6.legacy.i386.rpm: md5 gpg OK
kdelibs-devel-3.0.5a-0.73.6.legacy.i386.rpm: md5 gpg OK

packages update with out any errors or warnings.

I have been using these packages since March 5 2005 on a 7.3 workstation
running KDE with no problems.

+VERIFY RHL7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgSFf+CqvSzp9LOwRAlW1AJ99PB1hx3Wr/M2foMCjBSdkVhRryACgxVsZ
dc/jwPWW2tPoFEO7eGRpqs4=
=xrbg
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2005-06-16 08:33:27 EDT
One verify, timeouts in 4 weeks.
Comment 4 Pekka Savola 2005-07-15 01:40:39 EDT
Timeout over.
Comment 5 Marc Deslauriers 2005-07-15 22:13:57 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.