KDE Security Advisory: Kaffeine buffer overflow Original Release Date: 2006-03-XX URL: http://www.kde.org/info/security/advisory-200603XX-1.txt 0. References CAN-2006-XXXX 1. Systems affected: Kaffeine up to including Kaffeine 0.7.1 2. Overview: Kaffeine contains an unchecked buffer while creating HTTP request headers for fetching remote RAM playlists, which allow overflowing a heap allocated buffer and execute arbitrary code. 3. Impact: Remotely supplied RAM playlists can be used to execute arbitrary code on the client machine. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patch for Kaffeine 0.7.x is available from ftp://ftp.kde.org/pub/kde/security_patches : 03e74434799159a41d735118916b2dd6 kaffeine-input-http.patch 6. Credits: We'd like to thank Marcus Meissner for discovering and reporting the issue.
Created attachment 82941 [details, diff] kaffeine-input-http.patch
CC'ing flameeyes and carlo. Please don't commit anything to Portage yet, instead attach any updated ebuilds to this bug and we'll call arch security liaisons to test.
Created attachment 83042 [details] kaffeine-0.7.1-r1.ebuild Take it as -r1 or name it as -r2, this is the ebuild..
Created attachment 83043 [details, diff] kaffeine-0.7.1-input-http.patch This patch is needed because the other doesn't apply cleanly on source tarball.
Arch Security Liaisons please test and report back on this bug. Do NOT put anything in Portage at this point. amd64 -> blubb ppc -> dertobi123 ppc64 -> corsair x86 -> halcy0n
FWIW, ~arch is fixed as I've just added version 0.8 that does not seem to use that code anymore.
0.8 works fine on my ppc64 machine. should we go ahead and mark stable? (as it is already in ~arch)
No, 0.8 has too many new features yet to be tested, starting from that ripping interface I don't trust at all. I'd rather add a 0.7.1-r2 if required.
It's 20060403 (UTC) now, what's the status of this?
Sorry about the delay, the 0.7.1 version looks fine for x86
No announcement yet on the main KDE site. Arch Security Liaisons please test and report back.
blubb gave me the ok for amd64 as long as it worked there. ppc and ppc64?
public now
If anything else is needed from x86, please contact tsunam. I'll be gone until Friday.
stable on ppc64
ppc stable, sorry for the delay
GLSA drafted, Security please review.
Thx everyone. GLSA 200604-04
*** Bug 129390 has been marked as a duplicate of this bug. ***