722152 – (CVE-2020-12755) <kde-apps/kio-extras-19.12.3-r1: Possible password disclosure by unconditionally saving locally (CVE-2020-12755)

Bug 722152 (CVE-2020-12755) - <kde-apps/kio-extras-19.12.3-r1: Possible password disclosure by unconditionally saving locally (CVE-2020-12755)

Summary: <kde-apps/kio-extras-19.12.3-r1: Possible password disclosure by unconditiona...

Status:	RESOLVED FIXED

Alias:	CVE-2020-12755

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://mail.kde.org/pipermail/kde-an...
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2020-05-10 14:44 UTC by Sam James
Modified:	2020-06-18 03:07 UTC (History)
CC List:	0 users

See Also:
Package list:	kde-apps/kio-extras-19.12.3-r1
Runtime testing required:	---

Flags:	nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-05-10 14:44:01 UTC

Description:
"fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended KWallet storage of a password."

Patch: https://cgit.kde.org/kio-extras.git/commit/?id=d813cef3cecdec9af1532a40d677a203ff979145

Advisory: https://mail.kde.org/pipermail/kde-announce/2020-May/000098.html

----
Quotes from advisory:
"This is considered a security issue by users who do not trust KWallet (e.g. because
passwords can be read in KWalletManager, given physical access).

Solution
========
- Update to kio-extras >= 20.04.1
- or apply the following patch:
https://commits.kde.org/kio-extras/d813cef3cecdec9af1532a40d677a203ff979145"

Comment 1 Larry the Git Cow gentoo-dev

2020-05-10 15:59:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d68e0a691d63ed87eed3e1fc1e0972a29c69e7f1

commit d68e0a691d63ed87eed3e1fc1e0972a29c69e7f1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-05-10 15:17:37 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-05-10 15:59:24 +0000

    kde-apps/kio-extras: Fix CVE-2020-12755
    
    Bug: https://bugs.gentoo.org/722152
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../files/kio-extras-19.12.3-CVE-2020-12755.patch  | 26 ++++++
 kde-apps/kio-extras/kio-extras-19.12.3-r1.ebuild   | 89 ++++++++++++++++++++
 kde-apps/kio-extras/kio-extras-20.04.0-r1.ebuild   | 97 ++++++++++++++++++++++
 3 files changed, 212 insertions(+)

Comment 2 Agostino Sarubbo gentoo-dev

2020-05-11 11:30:10 UTC

amd64 stable

Comment 3 Sam James archtester

2020-05-11 13:25:46 UTC

arm64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2020-05-12 06:41:13 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 5 Larry the Git Cow gentoo-dev

2020-05-13 00:45:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dc3735aefa00d489bbc2a4f4fd7eda0ccbe35a06

commit dc3735aefa00d489bbc2a4f4fd7eda0ccbe35a06
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-05-13 00:43:44 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-05-13 00:43:44 +0000

    kde-apps/kio-extras: Cleanup vulnerable 19.12.3 (r0)
    
    Bug: https://bugs.gentoo.org/722152
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/kio-extras/kio-extras-19.12.3.ebuild | 86 ---------------------------
 1 file changed, 86 deletions(-)

Comment 6 Andreas Sturmlechner gentoo-dev

2020-05-14 17:38:51 UTC

kde proj is done here, anyway.

Comment 7 NATTkA bot gentoo-dev

2020-05-30 11:25:02 UTC

Unable to check for sanity:

> no match for package: kde-apps/kio-extras-19.12.3-r1