KDE Security Advisory: plain text password disclosure
Original Release Date: 2004-12-08
URL: http://www.kde.org/info/security/advisory-20041208-1.txt

0. References

        http://www.sec-consult.com/index.php?id=118


1. Systems affected:

        All KDE 3.2.x releases, KDE 3.3.0, KDE 3.3.1 and KDE 3.3.2.


2. Overview:

        Daniel Fabian notified the KDE security team about a possible
        privacy issue in KDE. When creating a link to a remote file
        from various applications including Konqueror, it might happen
        that the URL contains the authentication credentials 
        to access the remote location. This includes but is not
        limited to browsing SMB ("Samba") shares. 

        The link reference file, which is a file with the extension
        ".desktop", is a plain text config file that is created
        with default permissions, depending on the users' umask
        this could include world read permission.

        The KDE team provides patches which will unconditionally
        remove the password from the authentication credentials 
        before creating the link. The KDE security team recommends
        to store the password in KWallet instead, which provides
        a convenient way to store passwords securely.


3. Impact:

        Passwords to access remote resources can be viewable by other
        local users.


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patches for KDE 3.3.1 are available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        501852d12f82aebe7eb73ec5d96c9e6d  post-3.3.1-kdebase-smb.diff
        5b9c1738f2de3f00533e376eb64c7137  post-3.3.1-kdelibs-khtml.diff
        f287c900c637af2452c7a554f2df166f  post-3.3.1-kdelibs-kio.diff


        Patch for KDE 3.3.2 is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

        d3658e90acec6ff140463ed2fd0e7736  post-3.3.2-kdelibs-kio.diff


        Patches for KDE 3.2.3 are available from
        ftp://ftp.kde.org/pub/kde/security_patches :

        d080d9acf4d2abc5f91ccec8fc463568  post-3.2.3-kdebase-smb.diff
        d79d1717b4bc0b3891bacaaf37deade0  post-3.2.3-kdelibs-khtml.diff
        94e76ec98cd58ce27cad8f886d241986  post-3.2.3-kdelibs-kio.diff