Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 165606

Summary: kde-base/kdelibs < 3.5.5-r8 XSS (CVE-2007-0537)
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: kde, keith
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537
Whiteboard: B4 [glsa] Falco
Package list:
Runtime testing required: ---

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-06 13:00:38 UTC
Hi,

Konq 3.5.5 contains an XSS vulnerability.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-06 13:01:35 UTC
Although this is minor, arches please mark stable 3.5.6 if possible, thanks.
Comment 2 Gustavo Zacarias (RETIRED) gentoo-dev 2007-02-06 13:05:12 UTC
konqueror is part of kdebase i think, so this means kdebase should go stable as well.
Question is, will kdebase-3.5.6 work without kdelibs-3.5.6?
Is it wise to just stable that part of kde-3.5.6?
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-02-06 13:09:57 UTC
Either we stable KDE 3.5.6 altogether or we need to patch konqueror/kdelibs, because Konqueror is just a frontend to khtml/kjs.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-06 14:32:41 UTC
You're right, stabilizing konq is not as easy as this, i'm sorry i missed that.

So feel free to decide yourself on this issue. Since it's only an XSS, i won't be worried if you decide to wait several weeks before stabilizing it.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-02-06 14:33:56 UTC
I'll wait on Diego's word on it, he knows if 3.5.6 is kind of ready to go or better patch the current one.
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-02-06 14:46:28 UTC
I haven't received anything on kde-packagers yet.
Does security consider this an high priority vulnerability? If that's the case, we might as well give a try, 3.5.6 didn't have regressions as far as I can see, it's just a big burden for arch teams to do this now, especially with the imminent portage snapshot for 2007.0.
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-02-06 15:17:58 UTC
The problem is limited to kdelibs, got a patch out of the SVN, I'm going to commit it as kdelibs-3.5.5-r8.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2007-02-06 16:43:15 UTC
(In reply to comment #7)
> The problem is limited to kdelibs, got a patch out of the SVN, I'm going to
> commit it as kdelibs-3.5.5-r8.
> 

So mark stable 3.5.5-r8, i guess?
Comment 9 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-02-06 16:50:47 UTC
yah
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-02-06 19:20:38 UTC
ppc64 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-02-06 21:02:22 UTC
x86 stable!
Comment 12 Diego Elio Pettenò (RETIRED) gentoo-dev 2007-02-07 09:03:28 UTC
*** Bug 165719 has been marked as a duplicate of this bug. ***
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2007-02-07 13:24:07 UTC
sparc stable.
Comment 14 Bo Ørsted Andresen (RETIRED) gentoo-dev 2007-02-07 22:30:22 UTC
[ebuild  N    ] kde-base/kdelibs-3.5.5-r8  USE="alsa cups fam spell ssl -acl -arts -avahi -debug -doc -jpeg2k -kdeenablefinal -kdehiddenvisibility -kerberos -legacyssl -lua -openexr -tiff -utempter -xinerama -zeroconf"

1) emerges
2) passes collision test
3) works
(tested with kde-base/konqueror-3.5.5  USE="kdehiddenvisibility -arts -debug -java -kdeenablefinal -xinerama")

QA Notice: the following files are setXid, dyn linked, and using lazy bindings
 This combination is generally discouraged.  Try re-emerging the package:
 LDFLAGS='-Wl,-z,now' emerge kdelibs
LAZY usr/kde/3.5/bin/start_kdeinit

Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-gentoo-r6 x86_64)
=================================================================
System uname: 2.6.18-gentoo-r6 x86_64 AMD Sempron(tm) Processor 2800+
Gentoo Base System release 1.12.6
Last Sync: Wed, 07 Feb 2007 00:30:08 +0000
ccache version 2.4 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -pipe -O2 -ggdb"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-march=k8 -pipe -O2 -ggdb"
DISTDIR="/opt/distfiles"
FEATURES="autoconfig buildpkg ccache collision-protect distlocks fixpackages metadata-transfer multilib-strict parallel-fetch sandbox sfperms splitdebug strict test userfetch"
GENTOO_MIRRORS="ftp://10.0.0.3 http://mirror.uni-c.dk/pub/gentoo http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo"
LC_ALL="en_GB.UTF-8"
LINGUAS="da en en_GB"
MAKEOPTS="-j2"
PKGDIR="/var/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/var/repositories/gentoo"
PORTDIR_OVERLAY="/var/repositories/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X acpi alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol apache2 authdaemond bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups dbus dlloader dri dvb dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gdbm gif gnome gnutls gpm gstreamer gtk gtk2 hal iconv imap input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdehiddenvisibility kernel_linux lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb lcd_devices_ncurses lcd_devices_text ldap libg++ libwww linguas_da linguas_en linguas_en_GB lirc lirc_devices_hauppauge lm_sensors mad maildir midi mikmod mp3 mpeg mysql mythtv ncurses nls nptl nptlonly ntfs ogg oss pam pcre pdf perl pic png ppds pppd python qt3 qt4 quicktime readline reflection reiser4 reiserfs samba sasl sdl session spell spl ssl sysfs syslog tcpd test truetype truetype-fonts type1-fonts udev unichrome unicode usb userland_GNU vhosts video_cards_dummy video_cards_fbdev video_cards_v4l video_cards_vesa video_cards_vga video_cards_via vorbis xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-08 05:59:50 UTC
ppc stable
Comment 16 Chris Gianelloni (RETIRED) gentoo-dev 2007-02-09 03:03:03 UTC
alpha/amd64 done
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 22:11:30 UTC
(In reply to comment #7)
> The problem is limited to kdelibs, got a patch out of the SVN, I'm going to
> commit it as kdelibs-3.5.5-r8.
> 

Perfect, thanks. I won't have obliged a stabilization on all KDE-3.5.6 for an XSS only :)))

Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 22:13:00 UTC
hppa is missing.

please could you test and mark stable kdelibs-3.5.5-r8, thanks
Comment 19 Jeroen Roovers gentoo-dev 2007-02-10 23:46:51 UTC
(In reply to comment #18)
> hppa is missing.
> 
> please could you test and mark stable kdelibs-3.5.5-r8, thanks

Why does this happen so often? Give me some time, OK? :-\
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-11 00:05:11 UTC
(In reply to comment #19)
> Why does this happen so often? Give me some time, OK? :-\
> 

We just forgot to CC you initially

Comment 21 Jeroen Roovers gentoo-dev 2007-02-11 01:25:42 UTC
(In reply to comment #20)
> (In reply to comment #19)
> > Why does this happen so often? Give me some time, OK? :-\
> > 
> 
> We just forgot to CC you initially

Is that an apology or just the answer to an entirely different question? Being four days late to the party is no light matter, I can tell you.

Seeing as I will need to partly rebuild kde-3.5.5, I can start testing tomorrow afternoon and hopefully mark kdelibs early in the evening (CET).
Comment 22 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-11 10:52:05 UTC
(In reply to comment #21)
>
> Is that an apology or just the answer to an entirely different question? 

Both

> Being
> four days late to the party is no light matter, I can tell you.

you are not late at all, since you were CCed a few hours ago... stay calm...


> 
> Seeing as I will need to partly rebuild kde-3.5.5, I can start testing tomorrow
> afternoon and hopefully mark kdelibs early in the evening (CET).
> 

np
Comment 23 Jeroen Roovers gentoo-dev 2007-02-12 13:03:47 UTC
> (In reply to comment #21)
> >
> > Is that an apology or just the answer to an entirely different question? 
> 
> Both

Thank you,  Raphael.


...Stable for HPPA.
Comment 24 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 13:11:31 UTC
thanks a lot and again, sorry for we having missed you.

Do we send a GLSA? I vote a half-yes. It's a XSS "only", but it affects all KDE-based apps on all websites.
Comment 25 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 22:33:15 UTC
i'm actually the only active member of the security team, so i can't apply the policy telling that 2 positive votes include a GLSA. 

Let's have one half-GLSA btw :)
Comment 26 Bryan Østergaard (RETIRED) gentoo-dev 2007-02-14 22:12:04 UTC
IA64 done.
Comment 27 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-11 00:52:28 UTC
finally GLSA 200703-10, sorry for the delay (but low severity)