not sure about the details but at least there's a commit... https://svn.kvirc.de/kvirc/changeset/630
heh, i know the details: Affected product: KVIrc Affected version: tested with latest stable version ( 3.2.0) and a snapshot (3.2.5). Other versions may also be affected. CVE: CVE-2007-2951 SAID: SA25740 (http://secunia.com/advisories/25740/) Credit: Stefan Cornelius, Secunia Research Upstream contacted: CCed to this email. Disclosure date: Preliminary date set to Wed 27th June, 2007 -- Background -- "KVIrc is a free portable IRC client based on the excellent Qt GUI toolkit. KVIrc is being written by Szymon Stefanek and the KVIrc Development Team with the contribution of many IRC addicted developers around the world." -- Details -- KVIrc does not properly handle irc:// (and similar URIs like irc6://) URIs passed via the command line, which can be exploited to inject and execute commands by e.g. tricking a user into opening a specially crafted irc:// URI. Successful exploitation requires that KVIrc is registered as the default handler for irc:// or similar URIs. Example: <HTML> <A HREF="irc://aa:11/lol,${run mkdir /tmp/secunia;};">irc</A> </HTML> Note: This may be dependent upon the browser used. During tests Galeon launched KVIrc without asking for confirmation, on the other hand Konqueror and newer Firefox versions asked the user for confirmation prior to launching KVirc, which mitigates the vulnerability. The vulnerability is caused due to the "parseIrcUrl()" function in src/kvirc/kernel/kvi_ircurl.cpp not properly sanitising parts of the URI when building the command for KVIrc's internal script system. This can be exploited to inject and execute commands for the KVIrc script system (including the "run" command, which can be leveraged to execute shell commands). Credits should be given to: Stefan Cornelius, Secunia Research.
public now. forgot to CC net-irc last time, done that now - please provide fixed ebuilds
Added a svn-snapshotted ebuild, tested with a bunch of scripts and channels, no crashes so far, so I think we're safe.
Arches please test and mark stable. Target keywords are: kvirc-3.2.6_pre20070628.ebuild="amd64 ~mips ppc sparc x86"
net-irc/kvirc-3.2.6_pre20070628 USE="ipv6 kde ssl -debug -esd -oss" 1. Emerges on AMD64. 2. No collisions. 3. Test phase ok. 4. Multilib-strict ok - /usr/lib64/libkvilib* 5. Works (addons, channels, help browser, registered users, scripting, servers, themes, toolbars, etc). Portage 2.1.2.7 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r3, 2.6.20-gentoo-r8 x86_64) ================================================================= System uname: 2.6.20-gentoo-r8 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 30 Jun 2007 12:50:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=nocona -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="-akv" FEATURES="buildpkg ccache collision-protect distlocks fixpackages metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://mirrors1.netvisao.pt/gentoo http://darkstar.ist.utl.pt/pub/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X acl acpi alsa amd64 apache2 arts bash-completion bitmap-fonts cairo cdr cli cracklib crypt dbus dri dts dvd dvdr dvdread eds emboss encode evo fam firefox flac fortran gif gpm hal iconv ipv6 isdnlog jpeg kde kdeenablefinal kdehiddenvisibility libg++ mad midi mikmod mmx mp3 mpeg mudflap musepack musicbrainz mysql ncurses nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl png postgres pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
net-irc/kvirc-3.2.6_pre20070628 USE="ipv6 kde ssl esd oss -debug" 1. emerges on x86 2. passes test suite 3. passes collision test 4. works Portage 2.1.2.7 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.5-r3, 2.6.20-gentoo-r8-guru i686) ================================================================= System uname: 2.6.20-gentoo-r8-guru i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 30 Jun 2007 12:30:11 +0000 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -mtune=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -mtune=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="it_IT@euro" LINGUAS="it" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/webapps-experimental /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac accessibility acl acpi adns alsa apache2 arts asf ati avi bash-completion beagle berkdb bitmap-fonts bluetooth browserplugin bzip2 cairo caps cdr cli cracklib crd crypt ctype cups curl daap dbus dga djvu dmi dri dts dvd dvdr dvi emacs evo exif fbcon ffmpeg firefox flac foomatic fortran gdbm gif gimpprint glitz gnome gnutls gpm gtk gtkhtml hal i810 iconv imagemagick intel ipod ipv6 isdnlog jack java jpeg jpg libg++ libnotify libsexy lns mad midi mmap mmx mng mono mozilla moznocompose moznoirc moznomail mozsvg mp3 mp4 mpeg mudflap musepack nautilus ncurses network njb nls nptl nptlonly nsplugin numeric ogg ole opengl openmp openntpd oss pam pcre pda pdf perl php pic png portaudio posix ppds pppd pwdb python qt qt3 radeon readline real reflection samba sdl session sndfile spl sse sse2 ssl svg t1lib tcpd test theora threads thunderbird tiff truetype-fonts type1-fonts unicode usb v4l vcd vorbis win32codecs wma wmf wmv wxwindows x264 x86 xine xml xml2 xorg xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="vesa i810 vga" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS For me Stable in x86.
Marked stable on amd64. Thanks, Tiago!
It fails here on x86 with USE=-ipv6, IPv6 enabled works. i686-pc-linux-gnu-g++ -DHAVE_CONFIG_H -I. -I../../../src -I/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src/kvilib/include/ -I/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src/kvirc/include/ -I/usr/qt/3/include -I/usr/include -I/usr/include -I/usr/kde/3.5/include -D_REENTRANT -DREENTRANT -DGLOBAL_KVIRC_DIR=\"/usr/share/kvirc/3.2\" -O2 -MT kvi_ircsocket.o -MD -MP -MF .deps/kvi_ircsocket.Tpo -c -o kvi_ircsocket.o `test -f '../kernel/kvi_ircsocket.cpp' || echo './'`../kernel/kvi_ircsocket.cpp ../kernel/kvi_ircsocket.cpp: In member function ‘void KviIrcSocket::proxySendTargetDataV5()’: ../kernel/kvi_ircsocket.cpp:882: error: ‘isValidStringIp_V6’ is not a member of ‘KviNetUtils’ make[4]: *** [kvi_ircsocket.o] Error 1 make[4]: Leaving directory `/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src/kvirc/build' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src/kvirc' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src' make[1]: *** [all] Error 2 make[1]: Leaving directory `/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src' make: *** [all-recursive] Error 1 !!! ERROR: net-irc/kvirc-3.2.6_pre20070628 failed. Call stack: ebuild.sh, line 1615: Called dyn_compile ebuild.sh, line 972: Called qa_call 'src_compile' ebuild.sh, line 44: Called src_compile kvirc-3.2.6_pre20070628.ebuild, line 54: Called die
(In reply to comment #8) > It fails here on x86 with USE=-ipv6, IPv6 enabled works. Re-tested and found the same on amd64. Reverted stabilisation on amd64.
okay, waiting for upstream to provide a fix
Hope it's 3.2.6_pre based since 3.2.5 is b0rked for sparc...
Going back to ebuild...
the patch is a 2-liner or so. backporting it should work?
Yeah but the old version breaks for firsttime users as the setup wizard there caused segv's... So we really need a fully working version now. I'd even prefer enabling ipv6 by default to get this version. net-irc: opinions?
If this vuln if so important i don't see a reason why we can't force ipv6, since ipv6 is enabled by default on all the profiles. So, okay for me
net-irc, what's the status here?
ok, now that the ipv6 issue is fixed, we should be good to go. Arches, please test and mark stable net-irc/kvirc-3.2.6_pre20070714. target keywords are: "amd64 ppc ~mips sparc x86"
x86 stable
sparc stable.
net-irc/kvirc-3.2.6_pre20070714 -> amd64 broken There are collisions issues when: FEATURES="parallel-fetch userfetch userpriv usersandbox collision-protect" and [ebuild N ] net-irc/kvirc-3.2.6_pre20070714 USE="esd ipv6 kde ssl -debug -oss" 0 kB OUTPUT (latest lines): removing executable bit: usr/lib64/libkvilib.la * checking 2228 files for package collisions .html is not owned by this package/help/en/doc_objects.killclass .html is not owned by this package/help/en/doc_file.mkdir .html is not owned by this package/help/en/doc_layout .html is not owned by this package/help/en/doc_widget .html is not owned by this package/help/en/doc_file.exists .html is not owned by this package/help/en/doc_file.allsizese .html is not owned by this package/help/en/doc_file.fixpath .html is not owned by this package/help/en/doc_pixmap .html is not owned by this package/help/en/doc_file.remove .html is not owned by this package/help/en/doc_file.write .html is not owned by this package/help/en/doc_file.rmdir .html is not owned by this package/help/en/doc_file.copy .html is not owned by this package/help/en/doc_objects.dump .html is not owned by this package/help/en/doc_file.rootdir .html is not owned by this package/help/en/doc_socket .html is not owned by this package/help/en/doc_file.addimagepath 1000 files checked ... .html is not owned by this package/help/en/doc_buttongroup .html is not owned by this package/help/en/doc_objects.instances .html is not owned by this package/help/en/doc_file.cwd .html is not owned by this package/help/en/doc_file.ps .html is not owned by this package/help/en/doc_file.extractfilename .html is not owned by this package/help/en/doc_objects.variables .html is not owned by this package/help/en/doc_file.type .html is not owned by this package/help/en/doc_file.globaldir .html is not owned by this package/help/en/doc_file.localdir .html is not owned by this package/help/en/doc_file.homedir .html is not owned by this package/help/en/doc_escape_sequences .html is not owned by this package/help/en/doc_objects.exists .html is not owned by this package/help/en/doc_file.ls .html is not owned by this package/help/en/doc_objects.connect .html is not owned by this package/help/en/doc_file.readlines .html is not owned by this package/help/en/doc_objects.disconnect .html is not owned by this package/help/en/doc_objects.clear .html is not owned by this package/help/en/doc_file.delimagepath .html is not owned by this package/help/en/doc_file.size .html is not owned by this package/help/en/doc_file.writelines .html is not owned by this package/help/en/doc_file.rename .html is not owned by this package/help/en/doc_file.read .html is not owned by this package/help/en/doc_objects.classes .html is not owned by this package/help/en/doc_objects.classallhandlers .html is not owned by this package/help/en/doc_objects.bitblt .html is not owned by this package/help/en/doc_file.extractpath .html is not owned by this package/help/en/doc_objects.blend 2000 files checked ... * This package is blocked because it wants to overwrite * files belonging to other packages (see messages above). * If you have no clue what this is all about report it * as a bug for this package on http://bugs.gentoo.org package net-irc/kvirc-3.2.6_pre20070714 NOT merged Searching all installed packages for file collisions... Press Ctrl-C to Stop !!! Unrecognized CONTENTS entry on line 1: ' ' None of the installed packages claim the above file(s).
ppc stable
(In reply to comment #20) > None of the installed packages claim the above file(s). Clean up your system amd64 stable
(In reply to comment #22) > (In reply to comment #20) > > None of the installed packages claim the above file(s). > Clean up your system > > amd64 stable > If you ask me this message: .html is not owned by this package/help/en/doc_objects.killclass is not quite ok....... and what do you mean by cleanup? emerge cleanup that will remove some of the packages that i need but according to it are for cleaning up?
glsa request filed
that was GLSA 200709-02, thanks everybody and sorry for the delay.