Wouter Coekaerts has discovered a vulnerability in Konversation, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to Konversation not correctly filtering id3 tags before announcing them. This can be exploited to e.g. send arbitrary commands to a server by tricking a user into playing and announcing a specially crafted MP3 file. The vulnerability is confirmed in version 1.0.1 on a Fedora Core 6 system. Other versions may also be affected.
CC'ing maintainer and setting whiteboard status.
I consulted upstream wrt this issue, attaching patch. [22:51:35] <Ingmar^> can any konversation dev comment on this? http://bugs.gentoo.org/show_bug.cgi?id=189255 search on bugs.kde.org didn't really turn up anything :) [00:48:12] <Sho_> Ingmar^: Should be fixed by r602433 (significant commit) and r602435 (removing debug) in the repos [01:10:26] <Sho_> Ingmar^: r602435 removed debug code accidentally introduced in r602433 by argonel which makes r602433 not build [01:15:25] <Sho_> Ingmar^: If you put up the patch you've created on a pastebin I can check if it looks ok just in case [01:15:47] <Ingmar^> Sho_: http://rafb.net/p/e5NrcG80.html [01:16:20] <Sho_> Ingmar^: looks OK
Created attachment 130049 [details, diff] konversation-media-script-vulnerability.patch
Thanks for providing the patch. Commited with version 1.0.1-r3.
Thanks Ingmar. arches, please test and mark stable net-irc/konversation-1.0.1-r3. target keywords are: "amd64 ppc ppc64 sparc x86 ~x86-fbsd"
--- amd64 --- net-irc/konversation-1.0.1-r3 - USE: -debug xinerama -elibc_FreeBSD arts -linguas_bg -linguas_ca -linguas_da -linguas_de -linguas_el -linguas_en_GB -linguas_es -linguas_et -linguas_fi -linguas_fr -linguas_hu -linguas_it -linguas_ja -linguas_ka -linguas_ko -linguas_nl -linguas_pt -linguas_ru -linguas_sr -linguas_sr@Latn linguas_sv -linguas_tr -linguas_zh_TW -linguas_ar -linguas_cs -linguas_gl -linguas_he -linguas_lt -linguas_pa -linguas_pt_BR -linguas_ta -linguas_da -linguas_es -linguas_et -linguas_it -linguas_nl -linguas_pt -linguas_ru linguas_sv 1: emerges 2: passes collision-protect, (multilib-)strict, test 3: works (basic ircing tested) Portage 2.1.2.12 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r3 x86_64) ================================================================= System uname: 2.6.22-gentoo-r3 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ Gentoo Base System release 1.12.9 Timestamp of tree: Unknown ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -ggdb -march=athlon64 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/gentoo-release /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -ggdb -march=athlon64 -pipe" DISTDIR="/tmp/portage" FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms splitdebug strict test" GENTOO_MIRRORS="http://ds.thn.htu.se/linux/gentoo http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://mirror.switch.ch/mirror/gentoo/ http://trumpetti.atm.tut.fi/gentoo/" LANG="en_US.utf-8" LINGUAS="en sv" MAKEOPTS="-j3" PKGDIR="/tmp/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/private" SYNC="rsync://dx/gentoo-portage" USE="3dnow 3dnowext X a52 aac acpi aiglx alsa amd64 apache2 arts asf avi bash-completion berkdb bitmap-fonts branding browserplugin cairo ccache cdr cli cpudetection cracklib crypt cscope css cups cvs dbus divx divx4linux dlloader dri dvd dvdr dvdread eds emboss encode esd evo fam ffmpeg firefox flac foomaticdb fortran freetype gdbm geoip gif gimp gmedia gnokii gnome gpm gstreamer gtk hal http iconv ieee1394 imap imlib ipv6 isdnlog java javascript jfs jpeg kde kdeenablefinal kdehiddenvisibility kdepim kerberos logitech-mouse mad madwifi maildir midi mikmod mmx mmx2 mmxext mono mozbranding moznopango mozsvg mp3 mpeg mplayer msn mudflap mysql ncurses nls nptl nptlonly nsplugin ntfs nvidia obex ogg oggvorbis opengl openmp oss pam pcre pdf pdflib perl png pppd python qt qt3 qt3support qt4 quicktime readline realmedia reflection reiserfs samba scanner sdl session spell spl sse sse2 ssl subversion svg symlink tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts udev unicode usb v4l v4l2 vim-syntax vim-with-x visualization vorbis wifi wmf wmp wxwindows xcomposite xface xfs xine xinerama xml xorg xosd xpm xprint xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en sv" USERLAND="GNU" VIDEO_CARDS="nv nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable
x86 stable
ppc stable
ppc64 stable
SPARCenstein now
All arches done, updating whiteboard.
Hi, it's not really "command execution". It's "IRC command execution". You can trigger an IRC user to send some IRC commands to the IRC server. Very weak security impact in that. I'm dropping this bug from B2 to B4 and i suggest closing it without GLSA.
(In reply to comment #13) > Hi, > > it's not really "command execution". It's "IRC command execution". You can > trigger an IRC user to send some IRC commands to the IRC server. Very weak > security impact in that. > > I'm dropping this bug from B2 to B4 and i suggest closing it without GLSA. > Right, didn't check that when I filed the request. So voting no too and closing without glsa. Feel free to reopen if you disagree, as usual.