Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 469140 (CVE-2013-2074) - <kde-base/kdelibs-4.10.2-r1: may display passwords in HTML error messages, security hotfix (CVE-2013-2074)
Summary: <kde-base/kdelibs-4.10.2-r1: may display passwords in HTML error messages, se...
Status: RESOLVED FIXED
Alias: CVE-2013-2074
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-09 07:32 UTC by Andreas K. Hüttel
Modified: 2014-06-29 20:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas K. Hüttel archtester gentoo-dev 2013-05-09 07:32:22 UTC
Please stabilize kde-base/kdelibs-4.10.2-r1 on amd64, ppc, ppc64, x86
No arches cc'ed, sec team please take care of that

From the closed kde-packagers ml (which is why this is initially restricted dev-only, can imho be removed in a few days):

----

Packagers,

You might consider hot-patching your kdelibs with this.
The code that conceivably might display a user password has been in kdelibs since 2009-07-08
Probably means whatever kdelibs 4.x you are shipping needs this fix.


----------  Forwarded Message  ----------

Subject: [kdelibs/KDE/4.10] kioslave/http: Don't show passwords contained in HTTP URLs in error messages
Date: Wednesday, May 08, 2013, 11:38:51 PM
From: Grégory Oestreicher <greg@kamago.net>
To: kde-commits@kde.org

Git commit 65d736dab592bced4410ccfa4699de89f78c96ca by Grégory Oestreicher.
Committed on 08/05/2013 at 23:16.
Pushed by goestreicher into branch 'KDE/4.10'.

Don't show passwords contained in HTTP URLs in error messages
BUG: 319428
Comment 1 Agostino Sarubbo gentoo-dev 2013-05-09 10:50:55 UTC
amd64/x86/ppc/ppc64 stable.

Old removed.

@security please vote
Comment 2 Agostino Sarubbo gentoo-dev 2013-05-11 09:52:10 UTC
This is public.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2013-05-11 11:17:18 UTC
@security: please make the bug public.
Comment 4 Sergey Popov gentoo-dev 2013-08-23 10:33:14 UTC
GLSA vote: yes
Comment 5 Till Schäfer 2013-12-05 12:13:22 UTC
should this bug be closed? <kde-base/kdelibs-4.10.2-r1 is not in tree anymore.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2013-12-05 13:10:25 UTC
(In reply to Till Schäfer from comment #5)
> should this bug be closed? <kde-base/kdelibs-4.10.2-r1 is not in tree
> anymore.

It'll eventually be closed when the GLSA is sent out.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-02-06 17:39:41 UTC
CVE-2013-2074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2074):
  kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers
  to discover credentials via a crafted request that triggers an "internal
  server error," which includes the username and password in an error message.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 02:42:58 UTC
GLSA Vote: Yes
Created a New GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-06-29 20:50:02 UTC
This issue was resolved and addressed in
 GLSA 201406-34 at http://security.gentoo.org/glsa/glsa-201406-34.xml
by GLSA coordinator Mikle Kolyada (Zlogene).