Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 504994 (CVE-2014-2527)

Summary: <kde-misc/kdirstat-2.7.5 : insufficient quote escaping leading to arbitrary command execution (CVE-2014-{2527,2528})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/03/17/2
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-03-18 16:52:59 UTC
From ${URL} :

Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) 
tool did not correctly escape quotes when deleting a directory 
permanently. Attempting to use KDirStat to permanently delete a 
directory that has a malicious name could result in arbitrary command 
execution.

Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659

The Debian report is about single quotes. On Fedora 
(https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were 
needed.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Johannes Huber gentoo-dev 2014-03-18 17:10:10 UTC
Version bumped. Go ahead with stabilization.

+*kdirstat-2.7.5 (18 Mar 2014)
+
+  18 Mar 2014; Johannes Huber <johu@gentoo.org> +kdirstat-2.7.5.ebuild:
+  Version bump wrt bug #504994.
+
Comment 2 Agostino Sarubbo gentoo-dev 2014-03-18 19:57:16 UTC
Arches, please test and mark stable:
=kde-misc/kdirstat-2.7.5
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-03-19 13:39:42 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-03-19 13:39:56 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Michael Palimaka (kensington) gentoo-dev 2014-03-19 13:44:06 UTC
+  19 Mar 2014; Michael Palimaka <kensington@gentoo.org> -kdirstat-2.7.3.ebuild:
+  Remove old version vulnerable to CVE-2014-2527 wrt bug #504994.
Comment 6 Johannes Huber gentoo-dev 2014-03-19 16:20:47 UTC
Thanks all. Removing kde from cc as it is nothing to do for us anymore.
Comment 7 Sergey Popov gentoo-dev Security 2014-03-21 08:43:08 UTC
GLSA request filed
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-06-15 17:14:52 UTC
This issue was resolved and addressed in
 GLSA 201406-15 at http://security.gentoo.org/glsa/glsa-201406-15.xml
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-10-13 20:36:00 UTC
CVE-2014-2528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2528):
  kcleanup.cpp in KDirStat 2.7.3 does not properly quote strings when deleting
  a directory, which allows remote attackers to execute arbitrary commands via
  a ' (single quote) character in the directory name, a different
  vulnerability than CVE-2014-2527.

CVE-2014-2527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2527):
  kcleanup.cpp in KDirStat 2.7.0 does not properly quote strings when deleting
  a directory, which allows remote attackers to execute arbitrary commands via
  a " (double quote) character in the directory name, a different
  vulnerability than CVE-2014-2528.