Red Hat Bugzilla – Bug 961981
CVE-2013-2074 kdelibs: prints passwords contained in HTTP URLs in error messages
Last modified: 2015-11-02 09:12:48 EST
It was reported  that when KDE encounters an "internal server error" and also prints out the URL that caused the error that it would include the username and password (if supplied) to the resource that caused the error. For instance, it would show "https://user:firstname.lastname@example.org" or similar. This is due to kioslave/http/http.cpp using m_request.url.url() rather than the sanitized m_request.url.prettyUrl(). This issue is fixed in git .
Note that this information is printed out to the local user actively using the computer.
Created kdelibs tracking bugs for this issue
Affects: fedora-all [bug 961982]
This seems to go back as far as KDE3:
vdanen@cerberus:~/cvs-scratch/rhel/kdelibs/rhel-5.9/kdelibs-3.5.4/kioslave/http/ >% grep -n error http.cc|grep 'url.url'
2215: error( ERR_DOES_NOT_EXIST, m_request.url.url() );
2220: error( ERR_COULD_NOT_CONNECT, m_request.url.url() );
2894: error(ERR_INTERNAL_SERVER, m_request.url.url());
2934: error(ERR_DOES_NOT_EXIST, m_request.url.url());
The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created kdelibs3 tracking bugs for this issue
Affects: fedora-all [bug 962001]
As per http://www.openwall.com/lists/oss-security/2013/05/11/2 this was assigned CVE-2013-2074.
the fix was already committed into fedora branch
kdelibs3-3.5.10-53.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-53.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-53.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.