from the advisory draft: 20/04/2005 Coordinated Public Disclosure 1. Systems affected: Quanta 3.1.x, KDE 3.2 and new up to including KDE 3.4.0. 2. Overview: Kommander is a visual editor and interpreter to edit and interpret visual dialogs and execute scripts attached to dialog actions. Kommander executes without user confirmation data files from possibly untrusted locations. As they contain scripts, the user might accidentally run arbitrary code. 3. Impact: Remotly supplied kommander files from untrusted sources are executed without confirmation. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages.
<<< kdewebdev-3.3.2-r1 Arch herds, please mark stable. Thanks! :)
Arches can't access restricted bugs -> uncc'ing arches and cc'ing individual devs. (We'll handle it public later today if we see any advisories.) Please test and mark kdewebdev-3.3.2-r1 stable. alpha: kloeri amd64: absinthe ppc: pylon ppc64: corsair sparc: weeve x86: tester mips: hardave hppa: gmsoft ia64: ? If you are not able to mark stable please cc another dev for your arch.
x86 is already stable.. (you're lucky since I dont have kde ;)
stable on ppc64
Stable on SPARC.
Sune: Sorry, I thought we can immediatly open when the discosure date is met. Would it be possible to establish a always up to date arch/security contact list I can grab with a script? cc'd cryos for amd64 since he has time, agriffis for ia64 (and alpha maybe)
Stable on amd64.
Stable on alpha + ia64.
This is public now -> opening.
Ehh sorry, now it is open. Sorry for the spam.
The GLEP should probably mention the split-out kommander as well as the monolithic one.
s/GLEP/GLSA ;-) but sounds correct, kde-base/kommander was also fixed with 3.4.0-r1 It has been ~arch masked though.
The KDE split ebuilds are not stable yet and therefor not mentioned. Until we have a better staffing situtation we do not issue GLSAs about unstable packages. See Non-stable packages in the first chapter of the Vulnerability Policy: http://www.gentoo.org/security/en/vulnerability-policy.xml
GLSA 200504-23 mips, hppa remember to mark stable to benifit from GLSA.
There's a bug in the original patch, causing a trailing / to be stripped, so e.g. not only /tmp/foo, but /tmpfoo would cause a temp directory warning as well. This is a minor issue, but it would be nice, if you would mark <<< kdewebdev-3.3.2-r2.ebuild stable as well. The kde.org guys plan to update their advisory. Don't know, if we do in such a case. Thanks.
Thx Carlo. Arches please test and mark stable. We'll update our GLSA but not issue an update as the security issue is fixed already.
stable on amd64
Got SPARC?
Stable on ppc.
Um, my 2 o'clock in the mornin' brain just doesn't work. :( The url to test got stripped, so the test wouldn't succeed, leaving the door wide open - as far as anyone is using kommander scripts. An updated kde.org advisory regarding this bug and Bug 88862 follows later today.
Stable on hppa.
Carlo is this ready to be closed again now?
Up to you Sune. No GLSA update in order?
Time for a GLSA update...
As far as I understand the latest patch, it's just an extra/wrong warning. So no security issue. So I'll close it without a GLSA update.
I was wrong it apparently is an issue, reopening for GLSA update. http://www.kde.org/info/security/advisory-20050504-1.txt The Kommander patch was incorrect and still allowed execution of files served from /tmp.
GLSA UPDATE sent.
Then we close it.
Stable on mips.