Please stabilize - kde-base/kget-4.3.3-r1 (hppa) Please stabilize - kde-base/kget-4.3.5-r1 (all archs except hppa) (also fixed in kde-base/kget-4.4.3-r1 - remains ~arch) KDE Security Advisory: KGet Directory Traversal and Insecure File Operation Vulnerabilities Original Release Date: 2010-05-13 URL: http://www.kde.org/info/security/advisory-20100513-1.txt 0. References: CVE-2010-1000 CVE-2010-1511 SA39528 1. Systems affected: KGet as shipped with KDE SC 4.0.0 up to including KDE SC 4.4.3. Earlier versions of KDE SC may also be affected. 2. Overview: 1) The "name" attribute of the "file" element of metalink files is not properly sanitized before being used to download files. If a user is tricked into downloading from a specially-crafted metalink file, this can be exploited to download files to directories outside of the intended download directory via directory traversal attacks. (CVE-2010-1000) 2) In some versions of KGet (2.4.2) a dialog box is displayed allowing the user to choose the file to download out of the options offered by the metalink file. However, KGet will simply go ahead and start the download after some time - even without prior acknowledgment of the user, and overwriting already-existing files of the same name. (CVE-2010-1511) The vulnerabilities were reported by and the above text provided by Stefan Cornelius of Secunia Research. 3. Impact: 1) Files may be created or overwritten in directories outside of a user's intended download directory. 2) Files may be created or overwritten in a user's intended download directory without acknowledgement of the user. 4. Solution: Source code patches have been made available which fix these vulnerabilities. At the time of this writing most OS vendor / binary package providers should have updated binary packages. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patches have been committed to the KDE Subversion repository in the following revision numbers: 4.3 branch: r1126227 4.4 branch: r1124974 Trunk: r1124976 Patches for KDE SC 4.3 and KDE SC 4.4 may be obtained directory from the Subversion repository (no checkout needed) with the following command and reference SHA1 sums: 4.3 branch: dc1b2af664fb4c74c018e9c6b02859b5c42ecd65 svn diff -r 1126226:1126227 \ svn://anonsvn.kde.org/home/kde/branches/KDE/4.3/kdenetwork 4.4 branch: 3ed1b2333ba324e1fc6c1994cef1715eb0b6f457 svn diff -r 1124973:1124974 \ svn://anonsvn.kde.org/home/kde/branches/KDE/4.4/kdenetwork
Rating; adapting whiteboard, summary and severity.
amd64/x86 stable
alpha/ia64/sparc don't have kde stable yet
CVE-2010-1000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1000): Directory traversal vulnerability in KGet in KDE SC 4.0.0 through 4.4.3 allows remote attackers to create arbitrary files via directory traversal sequences in the name attribute of a file element in a metalink file.
CVE-2010-1511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1511): KGet 2.4.2 in KDE SC 4.0.0 through 4.4.3 does not properly request download confirmation from the user, which makes it easier for remote attackers to overwrite arbitrary files via a crafted metalink file.
neither does ppc64
Marked ppc stable, removing ppc64 since it doesn't have a stable kde4.
Is fixed in 4.4.4
ready for glsa
GLSA Vote: yes.
Vote: YES, glsa request filed.
removing KDE, CC us back if you need anything
<kget-4.3.5 long gone from tree..
This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle).
