Three security advisories have been issued today for KDE. The first advisory concerns the unsafe handling of KDE's temporary directory in certain circumstances. The second advisory relates to the unsafe creation of temporary files by KDE 3.2.x's dcopserver . The third advisory is about a frame injection vulnerability in Konqueror as earlier reported by Heise Online and Secunia Distributions are expected to have updated binary packages available shortly. All issues mentioned above have also been fixed in the KDE 3.3 Release Candidate 2 that was announced yesterday . The final release of KDE 3.3 is expected later this month. Cheers, Waldo -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KDE Security Advisory: Temporary Directory Vulnerability Original Release Date: 2004-08-11 URL: http://www.kde.org/info/security/advisory-20040811-1.txt 0. References
Three security advisories have been issued today for KDE. The first advisory concerns the unsafe handling of KDE's temporary directory in certain circumstances. The second advisory relates to the unsafe creation of temporary files by KDE 3.2.x's dcopserver . The third advisory is about a frame injection vulnerability in Konqueror as earlier reported by Heise Online and Secunia Distributions are expected to have updated binary packages available shortly. All issues mentioned above have also been fixed in the KDE 3.3 Release Candidate 2 that was announced yesterday . The final release of KDE 3.3 is expected later this month. Cheers, Waldo -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KDE Security Advisory: Temporary Directory Vulnerability Original Release Date: 2004-08-11 URL: http://www.kde.org/info/security/advisory-20040811-1.txt 0. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689 1. Systems affected: All versions of KDE up to KDE 3.2.3 inclusive. 2. Overview: The SUSE security team was alerted that in some cases the integrity of symlinks used by KDE are not ensured and that these symlinks can be pointing to stale locations. This can be abused by a local attacker to create or truncate arbitrary files or to prevent KDE applications from functioning correctly (Denial of Service). KDE creates in ~/.kde symlinks to a temporary directory, a socket directory and a cache directory. When a user logs into the KDE environment the startkde script ensures that these symlinks are present and point to directories that are owned by the user. However, when a user runs KDE applications outside the KDE environment or when a user runs a KDE applications as another user, such as root, the integrity of these symlinks is not checked and it is possible that a previously created but now stale symlinks exist. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0689 to this issue. 3. Impact: When a stale symlink is present a local attacker could create the directory that the symlink is pointing to with his own credentials to prevent access to this directory by KDE applications. This can prevent KDE applications from functioning correctly. When a stale symlink is present a local attacker could create the directory that the symlink is pointing to with his own credentials. Since KDE applications will attempt to create files with certain known names in this directory, an attacker can abuse this to overwrite arbitrary files with the privileges of the user. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patches for KDE 3.0.5b are available from ftp://ftp.kde.org/pub/kde/security_patches : da950a651e69cd810019efce284120fc post-3.0.5b-kdelibs-kstandarddirs.patch Patches for KDE 3.1.5 are available from ftp://ftp.kde.org/pub/kde/security_patches : c97ab0cf014adb59e315047210316f5d post-3.1.5-kdelibs-kstandarddirs.patch Patches for KDE 3.2.3 are available from ftp://ftp.kde.org/pub/kde/security_patches : 345ce2e01cfdfa4754c47894c0271dcc post-3.2.3-kdelibs-kstandarddirs.patch 6. Time line and credits: 23/06/2004 SUSE Security Team alerted by Andrew Tuitt 26/06/2004 Patches created 27/07/2004 Vendors notified 11/08/2004 Public advisory -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBGioUN4pvrENfboIRAnALAJ9ynwVAnzRtkDghmItkkCTe8qu/eACfabZc X/9KZihVfSQKjOHvmvBOzv0= =VM4l -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KDE Security Advisory: DCOPServer Temporary Filename Vulnerability Original Release Date: 2004-08-11 URL: http://www.kde.org/info/security/advisory-20040811-2.txt 0. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261386 1. Systems affected: KDE 3.2.x up to KDE 3.2.3 inclusive. 2. Overview: The Debian project was alerted that KDE's DCOPServer creates temporary files in an insecure manner. Since the temporary files are used for authentication related purposes this can potentially allow a local attacker to compromise the account of any user which runs a KDE application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0690 to this issue. 3. Impact: KDE's DCOPServer creates temporary files in an insecure manner. Since the temporary files are used for authentication related purposes this can potentially allow a local attacker to compromise the account of any user which runs a KDE application. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patches for KDE 3.2.3 are available from ftp://ftp.kde.org/pub/kde/security_patches : 0046c691fa833b2ff8d7eac15312a68b post-3.2.3-kdelibs-dcopserver.patch 6. Time line and credits: 25/07/2004 Debian Project alerted by Colin Phipps 26/07/2004 KDE Security team informed by Chris Cheney 26/07/2004 Patch created 27/07/2004 Vendors notified 11/08/2004 Public advisory -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBGiosN4pvrENfboIRApSoAJ0S7zbgId9etA3EDrOv5dnFpSUU4wCfd2JK kHcL+tcXbrH971YcuoEleTQ= =VHci -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KDE Security Advisory: Konqueror Frame Injection Vulnerability Original Release Date: 2004-08-11 URL: http://www.kde.org/info/security/advisory-20040811-3.txt 0. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 http://secunia.com/advisories/11978/ http://www.heise.de/newsticker/meldung/48793 http://bugs.kde.org/show_bug.cgi?id=84352 1. Systems affected: All versions of KDE up to KDE 3.2.3 inclusive. 2. Overview: The Konqueror webbrowser allows websites to load webpages into a frame of any other frame-based webpage that the user may have open. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0721 to this issue. 3. Impact: A malicious website could abuse Konqueror to insert its own frames into the page of an otherwise trusted website. As a result the user may unknowingly send confidential information intended for the trusted website to the malicious website. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patches for KDE 3.0.5b are available from ftp://ftp.kde.org/pub/kde/security_patches : aa3ac08a45851a1c33b2fcd435e1d514 post-3.0.5b-kdelibs-htmlframes.patch dc4dfff2df75d19e527368f56dc92abb post-3.0.5b-kdebase-htmlframes.patch Patches for KDE 3.1.5 are available from ftp://ftp.kde.org/pub/kde/security_patches : e6cebe1f93f7497d720018362077dcf7 post-3.1.5-kdelibs-htmlframes.patch caa562da0735deacba3ae9170f2bf18f post-3.1.5-kdebase-htmlframes.patch Patches for KDE 3.2.3 are available from ftp://ftp.kde.org/pub/kde/security_patches : 8384f2785295be7082d9984ba8e175eb post-3.2.3-kdelibs-htmlframes.patch a60fd1628607d4abdeb930662d126171 post-3.2.3-kdebase-htmlframes.patch 6. Time line and credits: 01/07/2004 Secunia publishes security advisory 04/08/2004 Patches created 05/08/2004 Vendors notified 11/08/2004 Public advisory -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBGioxN4pvrENfboIRAi+mAJ0WMjHog9VRHoDpPodNCwV0RhR0UQCeMNE/ hjSS3bG2/H6ZeaD2VSm9hoI= =YE7B -----END PGP SIGNATURE-----
Users are advised to upgrade to kde-base/kdelibs-3.2.3-r1 kde-base/kdebase-3.2.3-r1 Which has the necessary patches in place. The problem is not present in the version 3.3 ebuilds which are in portage.
Thx Caleb. Drafting GLSA now.
alpha, ia64, ppc, sparc please mark kdelibs and kdebase 3.2.3-r1 stable GLSA drafted : security please review
Caleb: At the same day you added the patches, I asked via bugs.kde.org, if the patches would be simple to backport. Waldo Bastian was so nice to send me patches, including some for KDE 3.1.5. Two days later there was another comment - http://bugs.kde.org/show_bug.cgi?id=84352#c18 - about a problem with these patches.
3.2.3 is now stable on sparc. If you decide to backport to 3.1.x feel free to CC us again.
in stable on ppc
GLSA already drafted. Need one more review.
GLSA 200408-13 alpha and ia64 remember to mark stable to benifit from GLSA.
