Opening a new bug as this is still confidential (public bug #72750). This is a draft, the text of the advisory is still subject to change. Fixes can already be found in the KDE_3_2_BRANCH, KDE_3_3_BRANCH and HEAD branch of KDE CVS. KDE Security Advisory: Konqueror Java Vulnerability Original Release Date: 2004-12-20 URL: http://www.kde.org/info/security/advisory-20041220-1.txt 0. References
Opening a new bug as this is still confidential (public bug #72750). This is a draft, the text of the advisory is still subject to change. Fixes can already be found in the KDE_3_2_BRANCH, KDE_3_3_BRANCH and HEAD branch of KDE CVS. KDE Security Advisory: Konqueror Java Vulnerability Original Release Date: 2004-12-20 URL: http://www.kde.org/info/security/advisory-20041220-1.txt 0. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1145 http://www.heise.de/security/dienste/browsercheck/tests/java.shtml 1. Systems affected: All versions of KDE up to KDE 3.3.1 inclusive. KDE 3.3.2 is not affected. 2. Overview: The Konqueror webbrowser makes it possible to by pass the sandbox environment which is used to run Java-applets in. An untrusted applet can escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1145 to this issue. 3. Impact: When a user has Java and JavaScript enabled in Konqueror and visits a malicious website, the website can run a Java-applet with escalated privileges that can read and write files with the privileges of the user. 4. Solution: Upgrade to KDE 3.3.2 A backport has been made available for older versions which fixes this vulnerability. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: For KDE 3.2.3 a backport of the new Java handling is available from ftp://ftp.kde.org/pub/kde/security_patches : 7fc001d010c640738ed7d2fe347f002d post-3.2.3-kdelibs-khtml-java.tar.bz2 6. Time line and credits: 24/11/2004 security@kde.org contacted by Heise 29/11/2004 Fixed in KDE CVS by Koos Vriezen 14/12/2004 Backport for KDE 3.2.3 20/12/2004 KDE Advisory released
Caleb please be ready to bump again.
I've got the patches and will be bumping just as soon as I get an opportunity to do so.
Closing issue is now public and handled on the public bug #72750.