Secunia Research reported a flaw in KDE KGet that can be used by a malicious attacker to potentially compromise a user's system. The "name" attribute of the "file" element in metalink files is not properly sanitized before being used to download files. If a user were tricked into downloading a specially crafted metalink file, it could be used to download files to directories outside of the intended download directory via directory traversal flaws. KGet will start to download files in the background even before a user confirms whether or not they want the particular file downloaded, which could lead to KGet silently overwriting existing files with the same name. This flaw has been assigned the name CVE-2010-1000. It also only affects KGet in KDE 4.x and does not affect earlier versions. Only Red Hat Enterprise Linux 6 and Fedora would be affected.
This is now public via Ubuntu's advisory (USN-938-1): http://lists.grok.org.uk/pipermail/full-disclosure/2010-May/074535.html I don't see anything from upstream, however.
Hi Vincent, yes it's public now - http://kde.org/info/security/advisory-20100513-1.txt.
Upstream's advisory: http://www.kde.org/info/security/advisory-20100513-1.txt It also notes CVE-2010-1511, so they've further split the problem as noted in the description into two issues. Quoting the upstream advisory: 1) The "name" attribute of the "file" element of metalink files is not properly sanitized before being used to download files. If a user is tricked into downloading from a specially-crafted metalink file, this can be exploited to download files to directories outside of the intended download directory via directory traversal attacks. (CVE-2010-1000) 2) In some versions of KGet (2.4.2) a dialog box is displayed allowing the user to choose the file to download out of the options offered by the metalink file. However, KGet will simply go ahead and start the download after some time - even without prior acknowledgment of the user, and overwriting already-existing files of the same name. (CVE-2010-1511) The vulnerabilities were reported by and the above text provided by Stefan Cornelius of Secunia Research.
Created kdenetwork tracking bugs for this issue Affects: fedora-all [bug 591966]
kde-l10n-4.4.3-1.fc13,kdeaccessibility-4.4.3-1.fc13.1,kdeadmin-4.4.3-1.fc13.1,kdeartwork-4.4.3-1.fc13.1,kdebase-4.4.3-2.fc13.1,kdebase-runtime-4.4.3-1.fc13.1,kdebase-workspace-4.4.3-1.fc13.1,kdebindings-4.4.3-1.fc13.1,kdeedu-4.4.3-1.fc13.1,kdegames-4.4.3-1.fc13.1,kdegraphics-4.4.3-1.fc13.1,kdelibs-4.4.3-2.fc13,kdemultimedia-4.4.3-1.fc13.1,kdenetwork-4.4.3-3.fc13,kdepim-4.4.3-1.fc13.1,kdepim-runtime-4.4.3-1.fc13.1,kdepimlibs-4.4.3-1.fc13.1,kdeplasma-addons-4.4.3-1.fc13.1,kdesdk-4.4.3-1.fc13.1,kdetoys-4.4.3-1.fc13.1,kdeutils-4.4.3-1.fc13.1,oxygen-icon-theme-4.4.3-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/kde-l10n-4.4.3-1.fc13,kdeaccessibility-4.4.3-1.fc13.1,kdeadmin-4.4.3-1.fc13.1,kdeartwork-4.4.3-1.fc13.1,kdebase-4.4.3-2.fc13.1,kdebase-runtime-4.4.3-1.fc13.1,kdebase-workspace-4.4.3-1.fc13.1,kdebindings-4.4.3-1.fc13.1,kdeedu-4.4.3-1.fc13.1,kdegames-4.4.3-1.fc13.1,kdegraphics-4.4.3-1.fc13.1,kdelibs-4.4.3-2.fc13,kdemultimedia-4.4.3-1.fc13.1,kdenetwork-4.4.3-3.fc13,kdepim-4.4.3-1.fc13.1,kdepim-runtime-4.4.3-1.fc13.1,kdepimlibs-4.4.3-1.fc13.1,kdeplasma-addons-4.4.3-1.fc13.1,kdesdk-4.4.3-1.fc13.1,kdetoys-4.4.3-1.fc13.1,kdeutils-4.4.3-1.fc13.1,oxygen-icon-theme-4.4.3-1.fc13
kde-l10n-4.4.3-1.fc12,kdeaccessibility-4.4.3-1.fc12.1,kdeadmin-4.4.3-1.fc12.1,kdeartwork-4.4.3-1.fc12.1,kdebase-4.4.3-2.fc12.1,kdebase-runtime-4.4.3-1.fc12.1,kdebase-workspace-4.4.3-1.fc12.1,kdebindings-4.4.3-1.fc12.1,kdeedu-4.4.3-1.fc12.1,kdegames-4.4.3-1.fc12.1,kdegraphics-4.4.3-1.fc12.1,kdelibs-4.4.3-2.fc12,kdemultimedia-4.4.3-1.fc12.1,kdenetwork-4.4.3-3.fc12,kdepim-4.4.3-1.fc12.1,kdepim-runtime-4.4.3-1.fc12.1,kdepimlibs-4.4.3-1.fc12.1,kdeplasma-addons-4.4.3-1.fc12.1,kdesdk-4.4.3-1.fc12.1,kdetoys-4.4.3-1.fc12.1,kdeutils-4.4.3-1.fc12.1,oxygen-icon-theme-4.4.3-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/kde-l10n-4.4.3-1.fc12,kdeaccessibility-4.4.3-1.fc12.1,kdeadmin-4.4.3-1.fc12.1,kdeartwork-4.4.3-1.fc12.1,kdebase-4.4.3-2.fc12.1,kdebase-runtime-4.4.3-1.fc12.1,kdebase-workspace-4.4.3-1.fc12.1,kdebindings-4.4.3-1.fc12.1,kdeedu-4.4.3-1.fc12.1,kdegames-4.4.3-1.fc12.1,kdegraphics-4.4.3-1.fc12.1,kdelibs-4.4.3-2.fc12,kdemultimedia-4.4.3-1.fc12.1,kdenetwork-4.4.3-3.fc12,kdepim-4.4.3-1.fc12.1,kdepim-runtime-4.4.3-1.fc12.1,kdepimlibs-4.4.3-1.fc12.1,kdeplasma-addons-4.4.3-1.fc12.1,kdesdk-4.4.3-1.fc12.1,kdetoys-4.4.3-1.fc12.1,kdeutils-4.4.3-1.fc12.1,oxygen-icon-theme-4.4.3-1.fc12
kde-l10n-4.4.3-1.fc11,kdeaccessibility-4.4.3-1.fc11.1,kdeadmin-4.4.3-1.fc11.1,kdeartwork-4.4.3-1.fc11.1,kdebase-4.4.3-2.fc11.1,kdebase-runtime-4.4.3-1.fc11.1,kdebase-workspace-4.4.3-1.fc11.1,kdebindings-4.4.3-1.fc11.1,kdeedu-4.4.3-1.fc11.1,kdegames-4.4.3-1.fc11.1,kdegraphics-4.4.3-1.fc11.1,kdelibs-4.4.3-2.fc11,kdemultimedia-4.4.3-1.fc11.1,kdenetwork-4.4.3-3.fc11,kdepim-4.4.3-1.fc11.1,kdepim-runtime-4.4.3-1.fc11.1,kdepimlibs-4.4.3-1.fc11.1,kdeplasma-addons-4.4.3-1.fc11.1,kdesdk-4.4.3-1.fc11.1,kdetoys-4.4.3-1.fc11.1,kdeutils-4.4.3-1.fc11.1,oxygen-icon-theme-4.4.3-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/kde-l10n-4.4.3-1.fc11,kdeaccessibility-4.4.3-1.fc11.1,kdeadmin-4.4.3-1.fc11.1,kdeartwork-4.4.3-1.fc11.1,kdebase-4.4.3-2.fc11.1,kdebase-runtime-4.4.3-1.fc11.1,kdebase-workspace-4.4.3-1.fc11.1,kdebindings-4.4.3-1.fc11.1,kdeedu-4.4.3-1.fc11.1,kdegames-4.4.3-1.fc11.1,kdegraphics-4.4.3-1.fc11.1,kdelibs-4.4.3-2.fc11,kdemultimedia-4.4.3-1.fc11.1,kdenetwork-4.4.3-3.fc11,kdepim-4.4.3-1.fc11.1,kdepim-runtime-4.4.3-1.fc11.1,kdepimlibs-4.4.3-1.fc11.1,kdeplasma-addons-4.4.3-1.fc11.1,kdesdk-4.4.3-1.fc11.1,kdetoys-4.4.3-1.fc11.1,kdeutils-4.4.3-1.fc11.1,oxygen-icon-theme-4.4.3-1.fc11
kde-l10n-4.4.3-1.fc12, kdeaccessibility-4.4.3-1.fc12.1, kdeadmin-4.4.3-1.fc12.1, kdeartwork-4.4.3-1.fc12.1, kdebase-4.4.3-2.fc12.1, kdebase-runtime-4.4.3-1.fc12.1, kdebase-workspace-4.4.3-1.fc12.1, kdebindings-4.4.3-1.fc12.1, kdeedu-4.4.3-1.fc12.1, kdegames-4.4.3-1.fc12.1, kdegraphics-4.4.3-1.fc12.1, kdelibs-4.4.3-2.fc12, kdemultimedia-4.4.3-1.fc12.1, kdenetwork-4.4.3-3.fc12, kdepim-4.4.3-1.fc12.1, kdepim-runtime-4.4.3-1.fc12.1, kdepimlibs-4.4.3-1.fc12.1, kdeplasma-addons-4.4.3-1.fc12.1, kdesdk-4.4.3-1.fc12.1, kdetoys-4.4.3-1.fc12.1, kdeutils-4.4.3-1.fc12.1, oxygen-icon-theme-4.4.3-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
kde-l10n-4.4.3-1.fc13, kdeaccessibility-4.4.3-1.fc13.1, kdeadmin-4.4.3-1.fc13.1, kdeartwork-4.4.3-1.fc13.1, kdebase-4.4.3-2.fc13.1, kdebase-runtime-4.4.3-1.fc13.1, kdebase-workspace-4.4.3-1.fc13.1, kdebindings-4.4.3-1.fc13.1, kdeedu-4.4.3-1.fc13.1, kdegames-4.4.3-1.fc13.1, kdegraphics-4.4.3-1.fc13.1, kdelibs-4.4.3-2.fc13, kdemultimedia-4.4.3-1.fc13.1, kdenetwork-4.4.3-3.fc13, kdepim-4.4.3-1.fc13.1, kdepim-runtime-4.4.3-1.fc13.1, kdepimlibs-4.4.3-1.fc13.1, kdeplasma-addons-4.4.3-1.fc13.1, kdesdk-4.4.3-1.fc13.1, kdetoys-4.4.3-1.fc13.1, kdeutils-4.4.3-1.fc13.1, oxygen-icon-theme-4.4.3-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
kde-l10n-4.4.3-1.fc11, kdeaccessibility-4.4.3-1.fc11.1, kdeadmin-4.4.3-1.fc11.1, kdeartwork-4.4.3-1.fc11.1, kdebase-4.4.3-2.fc11.1, kdebase-runtime-4.4.3-1.fc11.1, kdebase-workspace-4.4.3-1.fc11.1, kdebindings-4.4.3-1.fc11.1, kdeedu-4.4.3-1.fc11.1, kdegames-4.4.3-1.fc11.1, kdegraphics-4.4.3-1.fc11.1, kdelibs-4.4.3-2.fc11, kdemultimedia-4.4.3-1.fc11.1, kdenetwork-4.4.3-3.fc11, kdepim-4.4.3-1.fc11.1, kdepim-runtime-4.4.3-1.fc11.1, kdepimlibs-4.4.3-1.fc11.1, kdeplasma-addons-4.4.3-1.fc11.1, kdesdk-4.4.3-1.fc11.1, kdetoys-4.4.3-1.fc11.1, kdeutils-4.4.3-1.fc11.1, oxygen-icon-theme-4.4.3-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.