l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2004 May 17 12:20

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] Security problems with URL handling in Opera and KDE (forward from KDE-announce list)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] Security problems with URL handling in Opera and KDE (forward from KDE-announce list)



I am passing along this security advosiry since I know that lots of LUGODers
use KDE and/or Opera.

----- Forwarded message from Waldo Bastian <bastian@kde.org> -----

From: Waldo Bastian <bastian@kde.org>
To: kde-announce@kde.org, bugtraq@securityfocus.com
Date: Mon, 17 May 2004 13:02:01 +0200
Cc: security@kde.org, kde-packager@kde.org, vendor-sec@lst.de
Subject: [kde-announce] KDE Security Advisory: URI Handler Vulnerabilities
X-CRM114-Status: Good  ( pR: 0.0000 )

KDE Security Advisory: URI Handler Vulnerabilities
Original Release Date: 2004-05-17
URL: http://www.kde.org/info/security/advisory-20040517-1.txt

0. References

	http://www.idefense.com/application/poi/display?id=104
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411
        http://www.securityfocus.com/archive/1/363225

1. Systems affected:

        All versions of KDE up to KDE 3.2.2 inclusive. 


2. Overview:

        iDEFENSE identified a vulnerability in the Opera Web Browser
        that could allow remote attackers to create or truncate
        arbitrary files. The KDE team has found that similar
        vulnerabilities exists in KDE.

        The telnet, rlogin, ssh and mailto URI handlers in KDE do not
        check for '-' at the beginning of the hostname passed, which
        makes it possible to pass an option to the programs started
        by the handlers.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0411 to this issue.


3. Impact:

        A remote attacker could entice a user to open a carefully crafted
        telnet URI which may either create or truncate a file anywhere 
        where the victim has permission to do so. In KDE 3.2 and later
        versions the user is first explicitly asked to confirm the opening
        of the telnet URI.

        A remote attacker could entice a user to open a carefully crafted
        mailto URI which may start the KMail program with its display 
        redirected to a remote machine under control of the attacker.
        An attacker can then use this to gain full access to the victims
        personal files and account.

        An attacker could entice a user to open a carefully crafted
        mailto URI which may start the KMail program using a configuration
        file specified by the attacker. If the attacker is able to install
        arbitrary files somewhere on the machine, the attacker can include
        commands in the configuration file which will be executed with the
        privileges of the victim allowing the attacker to gain full access
        to the victims personal files and account.

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patches for KDE 3.0.5b are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  5c573853ec3f426d33c559958baa2169  post-3.0.5b-kdelibs-kapplication.patch
  eaf9237b3af56b3b01df966b13fe2714  post-3.0.5b-kdelibs-ktelnetservice.patch

        Patches for KDE 3.1.5 are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  7c2bda942c4183d4163eb3f47f22e0bc  post-3.1.5-kdelibs-kapplication.patch
  bde52aa0bba055c4f678540ec20bfe5a  post-3.1.5-kdelibs-ktelnetservice.patch

        Patches for KDE 3.2.2 are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  7cebc1abb3141287db618486fd679b32  post-3.2.2-kdelibs-kapplication.patch
  52e0e955204a77781505d33b9a3c341d  post-3.2.2-kdelibs-ktelnetservice.patch


6. Time line and credits:

        02/04/2003 Exploit acquired by iDEFENSE
	12/05/2004 Public disclosure of Opera vulnerability
        13/05/2004 KDE Team informed by Martin Ostertag
	13/05/2004 Patches created
	14/05/2004 Vendors notified
	14/05/2004 Patches created for mailto problem.
        17/05/2004 Public advisory

_______________________________________________
kde-announce mailing list
kde-announce@kde.org
https://mail.kde.org/mailman/listinfo/kde-announce


----- End forwarded message -----

-- 
Henry House
The unintelligible text that may follow is a digital signature.
See <http://hajhouse.org/pgp> to find out how to verify it.
My OpenPGP key: <http://hajhouse.org/hajhouse.asc>.

Attachment: signature.asc
Description: Digital signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.