Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 79585 - kde-base/kdeedu CAN-2005-0011: Buffer overflows in fliccd of kstars
Summary: kde-base/kdeedu CAN-2005-0011: Buffer overflows in fliccd of kstars
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High critical (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1/C0 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-26 08:30 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-03-23 19:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
kstars-minimal.diff (kstars-minimal.diff,1.30 KB, patch)
2005-01-28 06:53 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-26 08:30:38 UTC
Erik Sj
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-26 08:30:38 UTC
Erik Sjölund discovered that a buffer overflow in fliccd which is
installed setuid root (at least on Debian/unstable) can be exploited
quite easily and will probably allow arbitrary code to be executed.

KDE has been notified.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-26 22:07:15 UTC
It is also setuid root on Gentoo.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-26 22:08:49 UTC
KDE, is it possible to fix the permissions in 2005.0 (and mention nothing else in the Changelog)?
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-28 06:53:12 UTC
Created attachment 49736 [details, diff]
kstars-minimal.diff

Here's a minimal patch to fix this vulnerability.  Dirk will send
the entire upstream patch later.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-28 06:54:08 UTC
Carlo, caleb please advise on comment #2.
Comment 6 Caleb Tennis (RETIRED) gentoo-dev 2005-01-28 07:03:28 UTC
I can't test the patch until later this evening - it will need to be cleaned up to work in Gentoo, but shouldn't be a problem.  If nobody gets to it first I'll go ahead and bump it - should be okay to just leave stable on all arches. 
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-13 04:56:51 UTC
Waiting for new coordinated release date. KDE please be ready to patch.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-13 06:03:14 UTC
New release date is February 15th
Comment 9 Carsten Lohrke (RETIRED) gentoo-dev 2005-02-14 11:55:50 UTC
Hm, "nobody" is about to commit. What about the changelog - do I violate any stupid vendor sec agreements, if I write "buffer overflows in fliccd of kstars"?
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-02-14 12:01:18 UTC
carlo: since we are very close to disclosure date, I'd say you can commit with any comment you want.
Comment 11 Carsten Lohrke (RETIRED) gentoo-dev 2005-02-14 12:12:51 UTC
Koon: Are you sure about "any comment"? ;) I'd like to know, how do we deal with this in general. Just "security bug, #1010101"?


<<< kdeedu-3.3.2-r1.ebuild

arch herds: would you please!?
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-02-14 13:58:11 UTC
Carlo: Confidential bugs shouldn't be disclosed at all. No CVS commit, no Changelog or whatever. Semi-public bugs can be committed to CVS, but with cryptic comments like "bug #101010". When we are at disclosure date, its OK to commit and comment.

This bug should be open ASAP so that arch people can comment on it :)
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-14 14:06:49 UTC
Thx Carlo.

Opening bug. Arches please test and mark stable.
Comment 14 Carsten Lohrke (RETIRED) gentoo-dev 2005-02-14 14:24:08 UTC
Koon: O.k., even though I dislike this closed list approach at all, it makes sense in context. I bet I'm not the only one who is/wasn't sure about it. Maybe a good question for the become-a-developer quiz.
Comment 15 Ciaran McCreesh 2005-02-14 14:33:05 UTC
Carlo -- see the repeated flamewars on the gentoo-user list that come up every now and again when people get a ChangeLog entry telling them to access a restricted bug. Not pretty, but they tend to cover all the issues.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-14 22:04:07 UTC
Upgrading severity. Remote root is apparently possible in certain configurations.
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-15 17:34:54 UTC
sparc stable.
Comment 18 Markus Rothe (RETIRED) gentoo-dev 2005-02-15 21:26:19 UTC
stable on ppc64
Comment 19 Bryan Østergaard (RETIRED) gentoo-dev 2005-02-16 03:06:53 UTC
Stable on alpha.
Comment 20 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-16 10:50:15 UTC
Marked stable on ppc by lu_zero.
Comment 21 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-16 12:13:37 UTC
stable on amd64
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-16 12:50:25 UTC
Thx everyone.

GLSA 200502-23

ia64 and hppa please remember to mark stable.
Comment 23 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:48:39 UTC
Already stable on hppa