Bug 591631 - (CVE-2010-1000, CVE-2010-1511) CVE-2010-1000 CVE-2010-1511 kdenetwork: improper sanitization of metalink attribute for downloading files
CVE-2010-1000 CVE-2010-1511 kdenetwork: improper sanitization of metalink att...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20100513,reported=20100511,sou...
: Security
Depends On: 591966 591967
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-12 13:54 EDT by Vincent Danen
Modified: 2017-08-02 14:44 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-15 12:59:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2010-05-12 13:54:25 EDT
Secunia Research reported a flaw in KDE KGet that can be used by a malicious attacker to potentially compromise a user's system.  The "name" attribute of the "file" element in metalink files is not properly sanitized before being used to download files.  If a user were tricked into downloading a specially crafted metalink file, it could be used to download files to directories outside of the intended download directory via directory traversal flaws.  KGet will start to download files in the background even before a user confirms whether or not they want the particular file downloaded, which could lead to KGet silently overwriting existing files with the same name.

This flaw has been assigned the name CVE-2010-1000.  It also only affects KGet in KDE 4.x and does not affect earlier versions.  Only Red Hat Enterprise Linux 6 and Fedora would be affected.
Comment 2 Vincent Danen 2010-05-13 10:42:23 EDT
This is now public via Ubuntu's advisory (USN-938-1):

http://lists.grok.org.uk/pipermail/full-disclosure/2010-May/074535.html

I don't see anything from upstream, however.
Comment 3 Jaroslav Reznik 2010-05-13 10:54:05 EDT
Hi Vincent,
yes it's public now - http://kde.org/info/security/advisory-20100513-1.txt.
Comment 4 Vincent Danen 2010-05-13 10:58:30 EDT
Upstream's advisory:

http://www.kde.org/info/security/advisory-20100513-1.txt

It also notes CVE-2010-1511, so they've further split the problem as noted in the description into two issues.  Quoting the upstream advisory:

1) The "name" attribute of the "file" element of metalink files is not
properly sanitized before being used to download files. If a user is
tricked into downloading from a specially-crafted metalink file, this can
be exploited to download files to directories outside of the intended
download directory via directory traversal attacks. (CVE-2010-1000)

2) In some versions of KGet (2.4.2) a dialog box is displayed allowing the
user to choose the file to download out of the options offered by the
metalink file. However, KGet will simply go ahead and start the download
after some time - even without prior acknowledgment of the user, and
overwriting already-existing files of the same name. (CVE-2010-1511)

The vulnerabilities were reported by and the above text provided by Stefan
Cornelius of Secunia Research.
Comment 6 Vincent Danen 2010-05-13 11:00:59 EDT
Created kdenetwork tracking bugs for this issue

Affects: fedora-all [bug 591966]
Comment 7 Fedora Update System 2010-05-25 17:48:01 EDT
kde-l10n-4.4.3-1.fc13,kdeaccessibility-4.4.3-1.fc13.1,kdeadmin-4.4.3-1.fc13.1,kdeartwork-4.4.3-1.fc13.1,kdebase-4.4.3-2.fc13.1,kdebase-runtime-4.4.3-1.fc13.1,kdebase-workspace-4.4.3-1.fc13.1,kdebindings-4.4.3-1.fc13.1,kdeedu-4.4.3-1.fc13.1,kdegames-4.4.3-1.fc13.1,kdegraphics-4.4.3-1.fc13.1,kdelibs-4.4.3-2.fc13,kdemultimedia-4.4.3-1.fc13.1,kdenetwork-4.4.3-3.fc13,kdepim-4.4.3-1.fc13.1,kdepim-runtime-4.4.3-1.fc13.1,kdepimlibs-4.4.3-1.fc13.1,kdeplasma-addons-4.4.3-1.fc13.1,kdesdk-4.4.3-1.fc13.1,kdetoys-4.4.3-1.fc13.1,kdeutils-4.4.3-1.fc13.1,oxygen-icon-theme-4.4.3-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/kde-l10n-4.4.3-1.fc13,kdeaccessibility-4.4.3-1.fc13.1,kdeadmin-4.4.3-1.fc13.1,kdeartwork-4.4.3-1.fc13.1,kdebase-4.4.3-2.fc13.1,kdebase-runtime-4.4.3-1.fc13.1,kdebase-workspace-4.4.3-1.fc13.1,kdebindings-4.4.3-1.fc13.1,kdeedu-4.4.3-1.fc13.1,kdegames-4.4.3-1.fc13.1,kdegraphics-4.4.3-1.fc13.1,kdelibs-4.4.3-2.fc13,kdemultimedia-4.4.3-1.fc13.1,kdenetwork-4.4.3-3.fc13,kdepim-4.4.3-1.fc13.1,kdepim-runtime-4.4.3-1.fc13.1,kdepimlibs-4.4.3-1.fc13.1,kdeplasma-addons-4.4.3-1.fc13.1,kdesdk-4.4.3-1.fc13.1,kdetoys-4.4.3-1.fc13.1,kdeutils-4.4.3-1.fc13.1,oxygen-icon-theme-4.4.3-1.fc13
Comment 8 Fedora Update System 2010-05-25 17:49:06 EDT
kde-l10n-4.4.3-1.fc12,kdeaccessibility-4.4.3-1.fc12.1,kdeadmin-4.4.3-1.fc12.1,kdeartwork-4.4.3-1.fc12.1,kdebase-4.4.3-2.fc12.1,kdebase-runtime-4.4.3-1.fc12.1,kdebase-workspace-4.4.3-1.fc12.1,kdebindings-4.4.3-1.fc12.1,kdeedu-4.4.3-1.fc12.1,kdegames-4.4.3-1.fc12.1,kdegraphics-4.4.3-1.fc12.1,kdelibs-4.4.3-2.fc12,kdemultimedia-4.4.3-1.fc12.1,kdenetwork-4.4.3-3.fc12,kdepim-4.4.3-1.fc12.1,kdepim-runtime-4.4.3-1.fc12.1,kdepimlibs-4.4.3-1.fc12.1,kdeplasma-addons-4.4.3-1.fc12.1,kdesdk-4.4.3-1.fc12.1,kdetoys-4.4.3-1.fc12.1,kdeutils-4.4.3-1.fc12.1,oxygen-icon-theme-4.4.3-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/kde-l10n-4.4.3-1.fc12,kdeaccessibility-4.4.3-1.fc12.1,kdeadmin-4.4.3-1.fc12.1,kdeartwork-4.4.3-1.fc12.1,kdebase-4.4.3-2.fc12.1,kdebase-runtime-4.4.3-1.fc12.1,kdebase-workspace-4.4.3-1.fc12.1,kdebindings-4.4.3-1.fc12.1,kdeedu-4.4.3-1.fc12.1,kdegames-4.4.3-1.fc12.1,kdegraphics-4.4.3-1.fc12.1,kdelibs-4.4.3-2.fc12,kdemultimedia-4.4.3-1.fc12.1,kdenetwork-4.4.3-3.fc12,kdepim-4.4.3-1.fc12.1,kdepim-runtime-4.4.3-1.fc12.1,kdepimlibs-4.4.3-1.fc12.1,kdeplasma-addons-4.4.3-1.fc12.1,kdesdk-4.4.3-1.fc12.1,kdetoys-4.4.3-1.fc12.1,kdeutils-4.4.3-1.fc12.1,oxygen-icon-theme-4.4.3-1.fc12
Comment 9 Fedora Update System 2010-05-25 17:52:49 EDT
kde-l10n-4.4.3-1.fc11,kdeaccessibility-4.4.3-1.fc11.1,kdeadmin-4.4.3-1.fc11.1,kdeartwork-4.4.3-1.fc11.1,kdebase-4.4.3-2.fc11.1,kdebase-runtime-4.4.3-1.fc11.1,kdebase-workspace-4.4.3-1.fc11.1,kdebindings-4.4.3-1.fc11.1,kdeedu-4.4.3-1.fc11.1,kdegames-4.4.3-1.fc11.1,kdegraphics-4.4.3-1.fc11.1,kdelibs-4.4.3-2.fc11,kdemultimedia-4.4.3-1.fc11.1,kdenetwork-4.4.3-3.fc11,kdepim-4.4.3-1.fc11.1,kdepim-runtime-4.4.3-1.fc11.1,kdepimlibs-4.4.3-1.fc11.1,kdeplasma-addons-4.4.3-1.fc11.1,kdesdk-4.4.3-1.fc11.1,kdetoys-4.4.3-1.fc11.1,kdeutils-4.4.3-1.fc11.1,oxygen-icon-theme-4.4.3-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/kde-l10n-4.4.3-1.fc11,kdeaccessibility-4.4.3-1.fc11.1,kdeadmin-4.4.3-1.fc11.1,kdeartwork-4.4.3-1.fc11.1,kdebase-4.4.3-2.fc11.1,kdebase-runtime-4.4.3-1.fc11.1,kdebase-workspace-4.4.3-1.fc11.1,kdebindings-4.4.3-1.fc11.1,kdeedu-4.4.3-1.fc11.1,kdegames-4.4.3-1.fc11.1,kdegraphics-4.4.3-1.fc11.1,kdelibs-4.4.3-2.fc11,kdemultimedia-4.4.3-1.fc11.1,kdenetwork-4.4.3-3.fc11,kdepim-4.4.3-1.fc11.1,kdepim-runtime-4.4.3-1.fc11.1,kdepimlibs-4.4.3-1.fc11.1,kdeplasma-addons-4.4.3-1.fc11.1,kdesdk-4.4.3-1.fc11.1,kdetoys-4.4.3-1.fc11.1,kdeutils-4.4.3-1.fc11.1,oxygen-icon-theme-4.4.3-1.fc11
Comment 10 Fedora Update System 2010-05-26 17:40:12 EDT
kde-l10n-4.4.3-1.fc12, kdeaccessibility-4.4.3-1.fc12.1, kdeadmin-4.4.3-1.fc12.1, kdeartwork-4.4.3-1.fc12.1, kdebase-4.4.3-2.fc12.1, kdebase-runtime-4.4.3-1.fc12.1, kdebase-workspace-4.4.3-1.fc12.1, kdebindings-4.4.3-1.fc12.1, kdeedu-4.4.3-1.fc12.1, kdegames-4.4.3-1.fc12.1, kdegraphics-4.4.3-1.fc12.1, kdelibs-4.4.3-2.fc12, kdemultimedia-4.4.3-1.fc12.1, kdenetwork-4.4.3-3.fc12, kdepim-4.4.3-1.fc12.1, kdepim-runtime-4.4.3-1.fc12.1, kdepimlibs-4.4.3-1.fc12.1, kdeplasma-addons-4.4.3-1.fc12.1, kdesdk-4.4.3-1.fc12.1, kdetoys-4.4.3-1.fc12.1, kdeutils-4.4.3-1.fc12.1, oxygen-icon-theme-4.4.3-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2010-05-26 17:41:24 EDT
kde-l10n-4.4.3-1.fc13, kdeaccessibility-4.4.3-1.fc13.1, kdeadmin-4.4.3-1.fc13.1, kdeartwork-4.4.3-1.fc13.1, kdebase-4.4.3-2.fc13.1, kdebase-runtime-4.4.3-1.fc13.1, kdebase-workspace-4.4.3-1.fc13.1, kdebindings-4.4.3-1.fc13.1, kdeedu-4.4.3-1.fc13.1, kdegames-4.4.3-1.fc13.1, kdegraphics-4.4.3-1.fc13.1, kdelibs-4.4.3-2.fc13, kdemultimedia-4.4.3-1.fc13.1, kdenetwork-4.4.3-3.fc13, kdepim-4.4.3-1.fc13.1, kdepim-runtime-4.4.3-1.fc13.1, kdepimlibs-4.4.3-1.fc13.1, kdeplasma-addons-4.4.3-1.fc13.1, kdesdk-4.4.3-1.fc13.1, kdetoys-4.4.3-1.fc13.1, kdeutils-4.4.3-1.fc13.1, oxygen-icon-theme-4.4.3-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2010-05-26 17:44:21 EDT
kde-l10n-4.4.3-1.fc11, kdeaccessibility-4.4.3-1.fc11.1, kdeadmin-4.4.3-1.fc11.1, kdeartwork-4.4.3-1.fc11.1, kdebase-4.4.3-2.fc11.1, kdebase-runtime-4.4.3-1.fc11.1, kdebase-workspace-4.4.3-1.fc11.1, kdebindings-4.4.3-1.fc11.1, kdeedu-4.4.3-1.fc11.1, kdegames-4.4.3-1.fc11.1, kdegraphics-4.4.3-1.fc11.1, kdelibs-4.4.3-2.fc11, kdemultimedia-4.4.3-1.fc11.1, kdenetwork-4.4.3-3.fc11, kdepim-4.4.3-1.fc11.1, kdepim-runtime-4.4.3-1.fc11.1, kdepimlibs-4.4.3-1.fc11.1, kdeplasma-addons-4.4.3-1.fc11.1, kdesdk-4.4.3-1.fc11.1, kdetoys-4.4.3-1.fc11.1, kdeutils-4.4.3-1.fc11.1, oxygen-icon-theme-4.4.3-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.