Bug 961981 - (CVE-2013-2074) CVE-2013-2074 kdelibs: prints passwords contained in HTTP URLs in error messages
CVE-2013-2074 kdelibs: prints passwords contained in HTTP URLs in error messages
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20130506,reported=2...
: Security
Depends On: 961982 962001
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-10 17:26 EDT by Vincent Danen
Modified: 2015-11-02 09:12 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-05-10 17:26:00 EDT
It was reported [1] that when KDE encounters an "internal server error" and also prints out the URL that caused the error that it would include the username and password (if supplied) to the resource that caused the error.  For instance, it would show "https://user:password@remotehost.com" or similar.  This is due to kioslave/http/http.cpp using m_request.url.url() rather than the sanitized m_request.url.prettyUrl().  This issue is fixed in git [2].

Note that this information is printed out to the local user actively using the computer.

[1] https://bugs.kde.org/show_bug.cgi?id=319428
[2] https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp
Comment 1 Vincent Danen 2013-05-10 17:27:11 EDT
Created kdelibs tracking bugs for this issue

Affects: fedora-all [bug 961982]
Comment 2 Vincent Danen 2013-05-10 18:16:12 EDT
This seems to go back as far as KDE3:

vdanen@cerberus:~/cvs-scratch/rhel/kdelibs/rhel-5.9/kdelibs-3.5.4/kioslave/http/ >% grep -n error http.cc|grep 'url.url'
2215:        error( ERR_DOES_NOT_EXIST, m_request.url.url() );
2220:        error( ERR_COULD_NOT_CONNECT, m_request.url.url() );
2894:              error(ERR_INTERNAL_SERVER, m_request.url.url());
2934:          error(ERR_DOES_NOT_EXIST, m_request.url.url());
Comment 3 Vincent Danen 2013-05-10 18:16:45 EDT
Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 4 Vincent Danen 2013-05-10 18:21:15 EDT
Created kdelibs3 tracking bugs for this issue

Affects: fedora-all [bug 962001]
Comment 5 Vincent Danen 2013-05-11 01:23:56 EDT
As per http://www.openwall.com/lists/oss-security/2013/05/11/2 this was assigned CVE-2013-2074.
Comment 6 Ngo Than 2013-05-13 12:25:28 EDT
the fix was already committed into fedora branch
Comment 7 Fedora Update System 2013-05-26 23:28:00 EDT
kdelibs3-3.5.10-53.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-05-28 20:55:23 EDT
kdelibs3-3.5.10-53.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-05-28 20:58:17 EDT
kdelibs3-3.5.10-53.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.