Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 319719 (CVE-2010-1000) - <kde-base/kget-{4.3.3-r1, 4.3.5-r1}: Directory Traversal (CVE-2010-{1000,1511})
Summary: <kde-base/kget-{4.3.3-r1, 4.3.5-r1}: Directory Traversal (CVE-2010-{1000,1511})
Status: RESOLVED FIXED
Alias: CVE-2010-1000
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.kde.org/info/security/advi...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-14 15:45 UTC by Maciej Mrozowski
Modified: 2014-12-12 00:31 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Maciej Mrozowski gentoo-dev 2010-05-14 15:45:39 UTC
Please stabilize - kde-base/kget-4.3.3-r1 (hppa)
Please stabilize - kde-base/kget-4.3.5-r1 (all archs except hppa)

(also fixed in kde-base/kget-4.4.3-r1 - remains ~arch)

KDE Security Advisory: KGet Directory Traversal and Insecure File Operation
Vulnerabilities
Original Release Date: 2010-05-13
URL: http://www.kde.org/info/security/advisory-20100513-1.txt

0. References:
	CVE-2010-1000
    CVE-2010-1511
    SA39528

1. Systems affected:

	KGet as shipped with KDE SC 4.0.0 up to including KDE SC 4.4.3. Earlier
    versions of KDE SC may also be affected.

2. Overview:

    1) The "name" attribute of the "file" element of metalink files is not
    properly sanitized before being used to download files. If a user is
    tricked into downloading from a specially-crafted metalink file, this can
    be exploited to download files to directories outside of the intended
    download directory via directory traversal attacks. (CVE-2010-1000)

    2) In some versions of KGet (2.4.2) a dialog box is displayed allowing the
    user to choose the file to download out of the options offered by the
    metalink file. However, KGet will simply go ahead and start the download
    after some time - even without prior acknowledgment of the user, and
    overwriting already-existing files of the same name. (CVE-2010-1511)

    The vulnerabilities were reported by and the above text provided by Stefan
    Cornelius of Secunia Research. 

3. Impact:

    1) Files may be created or overwritten in directories outside of a user's
    intended download directory.

    2) Files may be created or overwritten in a user's intended download
    directory without acknowledgement of the user.

4. Solution:

	Source code patches have been made available which fix these
    vulnerabilities. At the time of this writing most OS vendor / binary
    package providers should have updated binary packages. Contact your OS
    vendor / binary package provider for information about how to obtain
    updated binary packages.

5. Patch:

    Patches have been committed to the KDE Subversion repository in the
    following revision numbers:

    4.3 branch: r1126227
    4.4 branch: r1124974
    Trunk: r1124976

    Patches for KDE SC 4.3 and KDE SC 4.4 may be obtained directory from the
    Subversion repository (no checkout needed) with the following command and
    reference SHA1 sums:

    4.3 branch: dc1b2af664fb4c74c018e9c6b02859b5c42ecd65
    svn diff -r 1126226:1126227 \
    svn://anonsvn.kde.org/home/kde/branches/KDE/4.3/kdenetwork

    4.4 branch: 3ed1b2333ba324e1fc6c1994cef1715eb0b6f457
    svn diff -r 1124973:1124974 \
    svn://anonsvn.kde.org/home/kde/branches/KDE/4.4/kdenetwork
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-05-14 15:52:32 UTC
Rating; adapting whiteboard, summary and severity.
Comment 2 Markus Meier gentoo-dev 2010-05-15 13:20:07 UTC
amd64/x86 stable
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2010-05-15 16:24:34 UTC
alpha/ia64/sparc don't have kde stable yet
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-05-26 17:48:17 UTC
CVE-2010-1000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1000):
  Directory traversal vulnerability in KGet in KDE SC 4.0.0 through
  4.4.3 allows remote attackers to create arbitrary files via directory
  traversal sequences in the name attribute of a file element in a
  metalink file.

Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-05-26 17:49:03 UTC
CVE-2010-1511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1511):
  KGet 2.4.2 in KDE SC 4.0.0 through 4.4.3 does not properly request
  download confirmation from the user, which makes it easier for remote
  attackers to overwrite arbitrary files via a crafted metalink file.

Comment 6 Brent Baude (RETIRED) gentoo-dev 2010-05-26 19:14:31 UTC
neither does ppc64
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2010-06-01 15:25:29 UTC
Marked ppc stable, removing ppc64 since it doesn't have a stable kde4.
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2010-06-06 17:06:18 UTC
Is fixed in 4.4.4
Comment 9 Samuli Suominen (RETIRED) gentoo-dev 2010-06-21 16:36:51 UTC
ready for glsa
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 16:52:12 UTC
GLSA Vote: yes.
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 16:34:44 UTC
Vote: YES, glsa request filed.
Comment 12 Theo Chatzimichos (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-12-31 02:14:40 UTC
removing KDE, CC us back if you need anything
Comment 13 Maciej Mrozowski gentoo-dev 2012-11-19 20:23:23 UTC
<kget-4.3.5 long gone from tree..
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:31:41 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).