Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 183174 - net-irc/kvirc < 3.2.6 URL parsing vulnerability (CVE-2007-2951)
Summary: net-irc/kvirc < 3.2.6 URL parsing vulnerability (CVE-2007-2951)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/25740/
Whiteboard: B2 [glsa]
Keywords:
Depends on: 184709
Blocks:
  Show dependency tree
 
Reported: 2007-06-25 16:34 UTC by Markus Ullmann (RETIRED)
Modified: 2007-09-13 19:42 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Ullmann (RETIRED) gentoo-dev 2007-06-25 16:34:05 UTC
not sure about the details but at least there's a commit...
https://svn.kvirc.de/kvirc/changeset/630
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2007-06-25 17:15:48 UTC
heh, i know the details:

Affected product: KVIrc
Affected version: tested with latest stable version ( 3.2.0) and a
snapshot (3.2.5).
Other versions may also be affected.
CVE: CVE-2007-2951
SAID: SA25740 (http://secunia.com/advisories/25740/)
Credit: Stefan Cornelius, Secunia Research 
Upstream contacted: CCed to this email.
Disclosure date: Preliminary date set to Wed 27th June, 2007


-- Background --

"KVIrc is a free portable IRC client based on the excellent Qt GUI
toolkit. KVIrc is being written by Szymon Stefanek and the KVIrc
Development Team with the contribution of many IRC addicted developers
around the world."


-- Details --

KVIrc does not properly handle irc:// (and similar URIs like irc6://) 
URIs passed via the command line, which can be exploited to inject and
execute commands by e.g. tricking a user into opening a specially
crafted irc:// URI. Successful exploitation requires that KVIrc is
registered as the default handler for irc:// or similar URIs.

Example:
<HTML>
<A HREF="irc://aa:11/lol,${run mkdir /tmp/secunia;};">irc</A>
</HTML>

Note: This may be dependent upon the browser used. During tests Galeon
launched KVIrc without asking for confirmation, on the other hand
Konqueror and newer Firefox versions asked the user for confirmation
prior to launching KVirc, which mitigates the vulnerability.

The vulnerability is caused due to the "parseIrcUrl()" function in 
src/kvirc/kernel/kvi_ircurl.cpp not properly sanitising parts of the
URI when building the command for KVIrc's internal script system. This
can be exploited to inject and execute commands for the KVIrc script
system (including the "run" command, which can be leveraged to execute
shell commands).

Credits should be given to:
Stefan Cornelius, Secunia Research. 
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2007-06-26 15:53:02 UTC
public now. forgot to CC net-irc last time, done that now - please provide fixed ebuilds
Comment 3 Markus Ullmann (RETIRED) gentoo-dev 2007-06-28 13:14:03 UTC
Added a svn-snapshotted ebuild, tested with a bunch of scripts and channels, no crashes so far, so I think we're safe.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2007-06-29 21:10:26 UTC
Arches please test and mark stable. Target keywords are:

kvirc-3.2.6_pre20070628.ebuild="amd64 ~mips ppc sparc x86"
Comment 5 Tiago Cunha (RETIRED) gentoo-dev 2007-06-30 15:04:51 UTC
net-irc/kvirc-3.2.6_pre20070628  USE="ipv6 kde ssl -debug -esd -oss"

1. Emerges on AMD64.
2. No collisions.
3. Test phase ok.
4. Multilib-strict ok - /usr/lib64/libkvilib*
5. Works (addons, channels, help browser, registered users, scripting, servers, themes, toolbars, etc).

Portage 2.1.2.7 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r3, 2.6.20-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.20-gentoo-r8 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 30 Jun 2007 12:50:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=nocona -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=nocona -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="-akv"
FEATURES="buildpkg ccache collision-protect distlocks fixpackages metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://mirrors1.netvisao.pt/gentoo http://darkstar.ist.utl.pt/pub/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X acl acpi alsa amd64 apache2 arts bash-completion bitmap-fonts cairo cdr cli cracklib crypt dbus dri dts dvd dvdr dvdread eds emboss encode evo fam firefox flac fortran gif gpm hal iconv ipv6 isdnlog jpeg kde kdeenablefinal kdehiddenvisibility libg++ mad midi mikmod mmx mp3 mpeg mudflap musepack musicbrainz mysql ncurses nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl png postgres pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 6 Emanuele Gentili 2007-06-30 22:46:23 UTC
net-irc/kvirc-3.2.6_pre20070628  USE="ipv6 kde ssl esd oss -debug"

1. emerges on x86
2. passes test suite
3. passes collision test
4. works

Portage 2.1.2.7 (default-linux/x86/2007.0, gcc-4.1.2, glibc-2.5-r3,
2.6.20-gentoo-r8-guru i686)
=================================================================
System uname: 2.6.20-gentoo-r8-guru i686 Genuine Intel(R) CPU T2300 @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 30 Jun 2007 12:30:11 +0000
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -mtune=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c"
CXXFLAGS="-O2 -mtune=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox
sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="it_IT@euro"
LINGUAS="it"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/webapps-experimental
/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac accessibility acl acpi adns alsa apache2 arts asf ati avi
bash-completion beagle berkdb bitmap-fonts bluetooth browserplugin bzip2 cairo
caps cdr cli cracklib crd crypt ctype cups curl daap dbus dga djvu dmi dri dts
dvd dvdr dvi emacs evo exif fbcon ffmpeg firefox flac foomatic fortran gdbm gif
gimpprint glitz gnome gnutls gpm gtk gtkhtml hal i810 iconv imagemagick intel
ipod ipv6 isdnlog jack java jpeg jpg libg++ libnotify libsexy lns mad midi mmap
mmx mng mono mozilla moznocompose moznoirc moznomail mozsvg mp3 mp4 mpeg
mudflap musepack nautilus ncurses network njb nls nptl nptlonly nsplugin
numeric ogg ole opengl openmp openntpd oss pam pcre pda pdf perl php pic png
portaudio posix ppds pppd pwdb python qt qt3 radeon readline real reflection
samba sdl session sndfile spl sse sse2 ssl svg t1lib tcpd test theora threads
thunderbird tiff truetype-fonts type1-fonts unicode usb v4l vcd vorbis
win32codecs wma wmf wmv wxwindows x264 x86 xine xml xml2 xorg xvid zlib"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1
emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m
maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" LINGUAS="it" USERLAND="GNU" VIDEO_CARDS="vesa i810 vga"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

For me Stable in x86.
Comment 7 Wulf Krueger (RETIRED) gentoo-dev 2007-07-01 11:53:03 UTC
Marked stable on amd64. Thanks, Tiago!
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-02 08:50:42 UTC
It fails here on x86 with USE=-ipv6, IPv6 enabled works.

i686-pc-linux-gnu-g++ -DHAVE_CONFIG_H -I. -I../../../src  -I/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src/kvilib/include/ -I/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src/kvirc/include/ -I/usr/qt/3/include -I/usr/include -I/usr/include -I/usr/kde/3.5/include -D_REENTRANT -DREENTRANT -DGLOBAL_KVIRC_DIR=\"/usr/share/kvirc/3.2\"   -O2 -MT kvi_ircsocket.o -MD -MP -MF .deps/kvi_ircsocket.Tpo -c -o kvi_ircsocket.o `test -f '../kernel/kvi_ircsocket.cpp' || echo './'`../kernel/kvi_ircsocket.cpp
../kernel/kvi_ircsocket.cpp: In member function ‘void KviIrcSocket::proxySendTargetDataV5()’:
../kernel/kvi_ircsocket.cpp:882: error: ‘isValidStringIp_V6’ is not a member of ‘KviNetUtils’
make[4]: *** [kvi_ircsocket.o] Error 1
make[4]: Leaving directory `/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src/kvirc/build'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src/kvirc'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/var/tmp/portage/net-irc/kvirc-3.2.6_pre20070628/work/kvirc/src'
make: *** [all-recursive] Error 1

!!! ERROR: net-irc/kvirc-3.2.6_pre20070628 failed.
Call stack:
  ebuild.sh, line 1615:   Called dyn_compile
  ebuild.sh, line 972:   Called qa_call 'src_compile'
  ebuild.sh, line 44:   Called src_compile
  kvirc-3.2.6_pre20070628.ebuild, line 54:   Called die
Comment 9 Wulf Krueger (RETIRED) gentoo-dev 2007-07-02 16:54:42 UTC
 (In reply to comment #8)
> It fails here on x86 with USE=-ipv6, IPv6 enabled works.

Re-tested and found the same on amd64. Reverted stabilisation on amd64.
Comment 10 Markus Ullmann (RETIRED) gentoo-dev 2007-07-02 21:44:14 UTC
okay, waiting for upstream to provide a fix
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-02 21:46:52 UTC
Hope it's 3.2.6_pre based since 3.2.5 is b0rked for sparc...
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-07-04 13:22:44 UTC
Going back to ebuild...
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-12 17:49:07 UTC
the patch is a 2-liner or so. backporting it should work?
Comment 14 Markus Ullmann (RETIRED) gentoo-dev 2007-07-12 18:03:51 UTC
Yeah but the old version breaks for firsttime users as the setup wizard there caused segv's... So we really need a fully working version now. I'd even prefer enabling ipv6 by default to get this version.
net-irc: opinions?
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2007-07-12 18:07:00 UTC
If this vuln if so important i don't see a reason why we can't force ipv6, since ipv6 is enabled by default on all the profiles.

So, okay for me
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-19 08:21:56 UTC
net-irc, what's the status here?
Comment 17 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-24 21:24:26 UTC
ok, now that the ipv6 issue is fixed, we should be good to go.
Arches, please test and mark stable net-irc/kvirc-3.2.6_pre20070714.

target keywords are: "amd64 ppc ~mips sparc x86"
Comment 18 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-25 08:40:28 UTC
x86 stable
Comment 19 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-25 20:00:31 UTC
sparc stable.
Comment 20 PhobosK 2007-07-26 18:44:25 UTC
net-irc/kvirc-3.2.6_pre20070714 -> amd64 broken

There are collisions issues when:
FEATURES="parallel-fetch userfetch userpriv usersandbox collision-protect"
and
[ebuild  N    ] net-irc/kvirc-3.2.6_pre20070714  USE="esd ipv6 kde ssl -debug -oss" 0 kB

OUTPUT (latest lines):
removing executable bit: usr/lib64/libkvilib.la
* checking 2228 files for package collisions
.html is not owned by this package/help/en/doc_objects.killclass
.html is not owned by this package/help/en/doc_file.mkdir
.html is not owned by this package/help/en/doc_layout
.html is not owned by this package/help/en/doc_widget
.html is not owned by this package/help/en/doc_file.exists
.html is not owned by this package/help/en/doc_file.allsizese
.html is not owned by this package/help/en/doc_file.fixpath
.html is not owned by this package/help/en/doc_pixmap
.html is not owned by this package/help/en/doc_file.remove
.html is not owned by this package/help/en/doc_file.write
.html is not owned by this package/help/en/doc_file.rmdir
.html is not owned by this package/help/en/doc_file.copy
.html is not owned by this package/help/en/doc_objects.dump
.html is not owned by this package/help/en/doc_file.rootdir
.html is not owned by this package/help/en/doc_socket
.html is not owned by this package/help/en/doc_file.addimagepath
1000 files checked ...
.html is not owned by this package/help/en/doc_buttongroup
.html is not owned by this package/help/en/doc_objects.instances
.html is not owned by this package/help/en/doc_file.cwd
.html is not owned by this package/help/en/doc_file.ps
.html is not owned by this package/help/en/doc_file.extractfilename
.html is not owned by this package/help/en/doc_objects.variables
.html is not owned by this package/help/en/doc_file.type
.html is not owned by this package/help/en/doc_file.globaldir
.html is not owned by this package/help/en/doc_file.localdir
.html is not owned by this package/help/en/doc_file.homedir
.html is not owned by this package/help/en/doc_escape_sequences
.html is not owned by this package/help/en/doc_objects.exists
.html is not owned by this package/help/en/doc_file.ls
.html is not owned by this package/help/en/doc_objects.connect
.html is not owned by this package/help/en/doc_file.readlines
.html is not owned by this package/help/en/doc_objects.disconnect
.html is not owned by this package/help/en/doc_objects.clear
.html is not owned by this package/help/en/doc_file.delimagepath
.html is not owned by this package/help/en/doc_file.size
.html is not owned by this package/help/en/doc_file.writelines
.html is not owned by this package/help/en/doc_file.rename
.html is not owned by this package/help/en/doc_file.read
.html is not owned by this package/help/en/doc_objects.classes
.html is not owned by this package/help/en/doc_objects.classallhandlers
.html is not owned by this package/help/en/doc_objects.bitblt
.html is not owned by this package/help/en/doc_file.extractpath
.html is not owned by this package/help/en/doc_objects.blend
2000 files checked ...
* This package is blocked because it wants to overwrite
* files belonging to other packages (see messages above).
* If you have no clue what this is all about report it
* as a bug for this package on http://bugs.gentoo.org

package net-irc/kvirc-3.2.6_pre20070714 NOT merged


Searching all installed packages for file collisions...
Press Ctrl-C to Stop

!!! Unrecognized CONTENTS entry on line 1: '
'
None of the installed packages claim the above file(s).

Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-27 22:14:15 UTC
ppc stable
Comment 22 Christoph Mende (RETIRED) gentoo-dev 2007-08-01 00:40:51 UTC
(In reply to comment #20)
> None of the installed packages claim the above file(s).
Clean up your system

amd64 stable
Comment 23 PhobosK 2007-08-01 12:25:39 UTC
(In reply to comment #22)
> (In reply to comment #20)
> > None of the installed packages claim the above file(s).
> Clean up your system
> 
> amd64 stable
> 

If you ask me this message:
.html is not owned by this package/help/en/doc_objects.killclass
is not quite ok.......

and what do you mean by cleanup?
emerge  cleanup that will remove some of the packages that i need but according to it are for cleaning up?
Comment 24 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-06 14:12:13 UTC
glsa request filed
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-13 19:42:52 UTC
that was GLSA 200709-02, thanks everybody and sorry for the delay.