Bug 89092 - kde-base/kdewebdev - Kommander untrusted code execution
|
Bug#:
89092
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: carlo@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.kde.org/info/security/advisory-20050420-1.txt
|
|
Summary: kde-base/kdewebdev - Kommander untrusted code execution
|
|
Keywords:
|
|
Status Whiteboard: B2 [glsaupdate] jaervosz
|
|
Opened: 2005-04-14 07:36 0000
|
from the advisory draft:
20/04/2005 Coordinated Public Disclosure
1. Systems affected:
Quanta 3.1.x, KDE 3.2 and new up to including KDE 3.4.0.
2. Overview:
Kommander is a visual editor and interpreter to edit and
interpret visual dialogs and execute scripts attached to
dialog actions.
Kommander executes without user confirmation data files
from possibly untrusted locations. As they contain
scripts, the user might accidentally run arbitrary code.
3. Impact:
Remotly supplied kommander files from untrusted sources
are executed without confirmation.
4. Solution:
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
<<< kdewebdev-3.3.2-r1
Arch herds, please mark stable. Thanks! :)
Arches can't access restricted bugs -> uncc'ing arches and cc'ing individual
devs. (We'll handle it public later today if we see any advisories.)
Please test and mark kdewebdev-3.3.2-r1 stable.
alpha: kloeri
amd64: absinthe
ppc: pylon
ppc64: corsair
sparc: weeve
x86: tester
mips: hardave
hppa: gmsoft
ia64: ?
If you are not able to mark stable please cc another dev for your arch.
x86 is already stable.. (you're lucky since I dont have kde ;)
Sune: Sorry, I thought we can immediatly open when the discosure date is met.
Would it be possible to establish a always up to date arch/security contact
list I can grab with a script?
cc'd cryos for amd64 since he has time, agriffis for ia64 (and alpha maybe)
This is public now -> opening.
Ehh sorry, now it is open. Sorry for the spam.
The GLEP should probably mention the split-out kommander as well as the
monolithic one.
s/GLEP/GLSA ;-)
but sounds correct, kde-base/kommander was also fixed with 3.4.0-r1
It has been ~arch masked though.
The KDE split ebuilds are not stable yet and therefor not mentioned. Until we
have a better staffing situtation we do not issue GLSAs about unstable
packages.
See Non-stable packages in the first chapter of the Vulnerability Policy:
http://www.gentoo.org/security/en/vulnerability-policy.xml
GLSA 200504-23
mips, hppa remember to mark stable to benifit from GLSA.
There's a bug in the original patch, causing a trailing / to be stripped, so
e.g. not only /tmp/foo, but /tmpfoo would cause a temp directory warning as
well.
This is a minor issue, but it would be nice, if you would mark
<<< kdewebdev-3.3.2-r2.ebuild
stable as well. The kde.org guys plan to update their advisory. Don't know, if
we do in such a case.
Thanks.
Thx Carlo. Arches please test and mark stable.
We'll update our GLSA but not issue an update as the security issue is fixed already.
Um, my 2 o'clock in the mornin' brain just doesn't work. :( The url to test got
stripped, so the test wouldn't succeed, leaving the door wide open - as far as
anyone is using kommander scripts.
An updated kde.org advisory regarding this bug and Bug 88862 follows later
today.
Carlo is this ready to be closed again now?
Up to you Sune. No GLSA update in order?
Time for a GLSA update...
As far as I understand the latest patch, it's just an extra/wrong warning. So
no security issue. So I'll close it without a GLSA update.
