Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 469140 (CVE-2013-2074)

Summary: <kde-base/kdelibs-4.10.2-r1: may display passwords in HTML error messages, security hotfix (CVE-2013-2074)
Product: Gentoo Security Reporter: Andreas K. Hüttel <dilfridge>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: till2.schaefer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Andreas K. Hüttel archtester gentoo-dev 2013-05-09 07:32:22 UTC 
Please stabilize kde-base/kdelibs-4.10.2-r1 on amd64, ppc, ppc64, x86
No arches cc'ed, sec team please take care of that

From the closed kde-packagers ml (which is why this is initially restricted dev-only, can imho be removed in a few days):

----

Packagers,

You might consider hot-patching your kdelibs with this.
The code that conceivably might display a user password has been in kdelibs since 2009-07-08
Probably means whatever kdelibs 4.x you are shipping needs this fix.


----------  Forwarded Message  ----------

Subject: [kdelibs/KDE/4.10] kioslave/http: Don't show passwords contained in HTTP URLs in error messages
Date: Wednesday, May 08, 2013, 11:38:51 PM
From: Grégory Oestreicher <greg@kamago.net>
To: kde-commits@kde.org

Git commit 65d736dab592bced4410ccfa4699de89f78c96ca by Grégory Oestreicher.
Committed on 08/05/2013 at 23:16.
Pushed by goestreicher into branch 'KDE/4.10'.

Don't show passwords contained in HTTP URLs in error messages
BUG: 319428
Comment 1 Agostino Sarubbo gentoo-dev 2013-05-09 10:50:55 UTC 
amd64/x86/ppc/ppc64 stable.

Old removed.

@security please vote
Comment 2 Agostino Sarubbo gentoo-dev 2013-05-11 09:52:10 UTC 
This is public.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2013-05-11 11:17:18 UTC 
@security: please make the bug public.
Comment 4 Sergey Popov (RETIRED) gentoo-dev 2013-08-23 10:33:14 UTC 
GLSA vote: yes
Comment 5 Till Schäfer 2013-12-05 12:13:22 UTC 
should this bug be closed? <kde-base/kdelibs-4.10.2-r1 is not in tree anymore.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2013-12-05 13:10:25 UTC 
(In reply to Till Schäfer from comment #5)
> should this bug be closed? <kde-base/kdelibs-4.10.2-r1 is not in tree
> anymore.

It'll eventually be closed when the GLSA is sent out.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-02-06 17:39:41 UTC 
CVE-2013-2074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2074):
  kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers
  to discover credentials via a crafted request that triggers an "internal
  server error," which includes the username and password in an error message.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 02:42:58 UTC 
GLSA Vote: Yes
Created a New GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-06-29 20:50:02 UTC 
This issue was resolved and addressed in
 GLSA 201406-34 at http://security.gentoo.org/glsa/glsa-201406-34.xml
by GLSA coordinator Mikle Kolyada (Zlogene).