Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 358025 (CVE-2011-1094) - <kde-base/kdelibs-4.6.1: SSL name check issue (CVE-2011-1094)
Summary: <kde-base/kdelibs-4.6.1: SSL name check issue (CVE-2011-1094)
Status: RESOLVED FIXED
Alias: CVE-2011-1094
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://comments.gmane.org/gmane.comp....
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-09 07:29 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2014-06-29 20:49 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-09 07:29:27 UTC
KDE recently fixed an issue in the code checking host names of the
server SSL certificates.  Previously, it accepted certificate as valid
for the site if it was issued for the user-specified host name, or if
it was issued for an IP address to which user-specified host name
resolved.

An attacker able to get an SSL certificate form a trusted CA issued for
an attacker-controlled IP address could perform a MITM attack, if they
were also able to hijack victim's DNS to resolve host names to the
attacker's IP.

Fixed upstream in:
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/76f935197599a335a5fe09b78751ddb455248cf7

Patch is included in kdelibs 4.6.1.

http://comments.gmane.org/gmane.comp.security.oss.general/4440
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-09 07:33:00 UTC
Maintainers, is it OK to stabilize >=kde-base/kdelibs-4.6.1? If so, which version?
Comment 2 Andreas K. Hüttel gentoo-dev 2011-03-09 10:27:25 UTC
We discussed this yesterday and 4.6.1 is way to buggy (even with annoying regressions to 4.6.0) for stabilization. (Currently 4.6.2 is our planned candidate.)

I just committed an UNTESTED backport of the patch in kdelibs-4.4.5-r3. The code has not changed much, so this should work in theory. The problem is, I cannot even build-test it. So, for now NO KEYWORDS yet.

@security,kde: anyone of you running kde-4.4: please test the ebuild. If it builds fine, add all arches from -r2 back as ~arch. Afterwards we can request fast stabilization on relevant arches.

@kde: time to kill 4.5?
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-03-09 10:44:51 UTC
(In reply to comment #2)
> 
> @security,kde: anyone of you running kde-4.4: please test the ebuild. If it
> builds fine, add all arches from -r2 back as ~arch. Afterwards we can request
> fast stabilization on relevant arches.

It seems you're mistaking Security for an ebuild testing team.

> 
> @kde: time to kill 4.5?

That discussion should not take place on this very bug.
Comment 4 Andreas K. Hüttel gentoo-dev 2011-03-09 10:52:52 UTC
(In reply to comment #3)
> 
> It seems you're mistaking Security for an ebuild testing team.
> 
It seems I'm mistaking Security for a team interested in fixing security issues.
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-03-09 11:14:16 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > 
> > It seems you're mistaking Security for an ebuild testing team.
> > 
> It seems I'm mistaking Security for a team interested in fixing security
> issues.

No, you got that one right.
Providing updated, working ebuilds ready for arches to test is *YOUR* responsibility though.
Comment 6 Andreas K. Hüttel gentoo-dev 2011-03-09 11:29:51 UTC
(In reply to comment #5)
> > It seems I'm mistaking Security for a team interested in fixing security
> > issues.
> 
> No, you got that one right.
> Providing updated, working ebuilds ready for arches to test is *YOUR*
> responsibility though.

Oh please cut the whatever. Once your GLSA's are as current and updated as this ebuild we can discuss that again. 

Is it too much to ask for a little bit of cooperation? Most of the kde team is running 4.6 by now, and cannot easily test the 4.4 ebuilds since all the required dependencies are long gone from their systems. [*] And I can imagine it takes a lot less work to type "ebuild kdelibs-4.4.5-r3.ebuild install" and report on its result 1-2 hours later than to read and digest the daily flood of security advisories.


[*] Which is why we have even considered forming a separate kde-stable team. Only because kde-4.6 stabilization is now slowly coming closer we have abandoned that plan.
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-03-09 11:54:28 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > > It seems I'm mistaking Security for a team interested in fixing security
> > > issues.
> > 
> > No, you got that one right.
> > Providing updated, working ebuilds ready for arches to test is *YOUR*
> > responsibility though.
> 
> Oh please cut the whatever. Once your GLSA's are as current and updated as this
> ebuild we can discuss that again. 

If you actually knew the amount of work that's in one of these advisories, you wouldn't talk like that.

> 
> Is it too much to ask for a little bit of cooperation? 
> Most of the kde team is
> running 4.6 by now, and cannot easily test the 4.4 ebuilds since all the
> required dependencies are long gone from their systems. 

That's exactly my point. All of the 42 billion Gentoo KDE devs seem to use the fancy new stuff, so you think you can dump the unpleasant work of testing your old stable stuff to us? Forget it.
(This makes you referring to the GLSA situation even more bizarre)

EOD. From here on, let's focus on getting the bug fixed for stable users, which is my main interest. I hope that you contribute your part to that and we'll see to do the same.
Comment 8 Lars Wendler (Polynomial-C) gentoo-dev 2011-03-09 15:58:23 UTC
Doesn't compile on my ~amd64 machine at work (which is still on kde-4.4.5):

[ 40%] Building CXX object kio/CMakeFiles/kio.dir/kio/tcpslavebase.o            
/var/tmp/portage/kde-base/kdelibs-4.4.5-r3/work/kdelibs-4.4.5/kio/kio/tcpslavebase.cpp: In member function ‘KIO::TCPSlaveBase::SslResult KIO::TCPSlaveBase::startTLSInternal(uint)’:
/var/tmp/portage/kde-base/kdelibs-4.4.5-r3/work/kdelibs-4.4.5/kio/kio/tcpslavebase.cpp:514:43: error: ‘isMatchingHostname’ was not declared in this scope
make[2]: *** [kio/CMakeFiles/kio.dir/kio/tcpslavebase.o] Error 1
make[1]: *** [kio/CMakeFiles/kio.dir/all] Error 2
make: *** [all] Error 2
emake failed


# emerge --info kdelibs
Portage 2.2.0_alpha26 (default/linux/amd64/10.0, gcc-4.5.2, glibc-2.11.3-r0, 2.6.35.11 x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-2.6.35.11-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9550_@_2.83GHz-with-gentoo-2.0.1
Timestamp of tree: Wed, 09 Mar 2011 14:15:01 +0000
app-shells/bash:     4.2_p7
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.7.1-r1, 3.1.3-r1
dev-util/cmake:      2.8.4
sys-apps/baselayout: 2.0.1-r1
sys-apps/openrc:     0.7.0
sys-apps/sandbox:    2.5
sys-devel/autoconf:  2.13, 2.68
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.21
sys-devel/gcc:       4.4.5, 4.5.2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.4-r1
sys-devel/make:      3.82
virtual/os-headers:  2.6.36.1 (sys-kernel/linux-headers)
Repositories: gentoo poly-c
Installed sets: 
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.1 dlj-1.1 PUEL"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer -finline-functions"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/X11/Sessions /etc/X11/app-defaults /etc/X11/xinit /etc/adobe /etc/bash_completion.d /etc/bonobo-activation /etc/ca-certificates.conf /etc/cups /etc/dbus-1 /etc/env.d /etc/env.d/java/ /etc/eselect/compiler /etc/fish /etc/fonts /etc/fonts/fonts.conf /etc/foomatic /etc/gconf /etc/gentoo-release /etc/gimp /etc/gnome-vfs-2.0 /etc/gtk /etc/gtk-2.0 /etc/hotplug /etc/hotplug.d /etc/htdig /etc/imlib /etc/init.d /etc/iproute2 /etc/libgda-3.0 /etc/ntop /etc/pam.d /etc/pango /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/profile.d /etc/qt4 /etc/revdep-rebuild /etc/sandbox.d /etc/sasl2 /etc/sgml /etc/sound /etc/ssl /etc/ssmtp /etc/t1lib /etc/terminfo /etc/usb_modeswitch.d /etc/xinetd.d /etc/xml /etc/zsh"
CXXFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer -finline-functions"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--alphabetical --with-bdeps=y --jobs=1 --keep-going"
FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
FFLAGS=""
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu -Wl,--sort-common -Wl,--as-needed"
LINGUAS="de en"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/poly-c"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi alsa amd64 berkdb bzip2 caps cdda cdparanoia cdr cli cracklib crypt cups cxx dbus dvd dvdr dvdread encode fam ffmpeg flac gdbm gif gmp gnutls gpg gtk iconv idn imagemagick imlib jpeg jpeg2k kde kdehiddenvisibility lame mjpeg mmx mmxext modules mp3 mpeg mudflap multilib ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pcre png pppd qt3support qt4 quicktime readline rtmp sdl session silc slang smp sse sse2 ssl svg sysfs theora threads tiff truetype twolame unicode vcd vorbis vpx x264 xcb xcomposite xinerama xml xorg xulrunner xv xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LINGUAS="de en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby19" SANE_BACKENDS="hp" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================
                        Package Settings
=================================================================

kde-base/kdelibs-4.4.5-r2 was built with the following:
USE="3dnow -acl alsa (-altivec) (-aqua) -bindist bzip2 -debug -doc fam handbook jpeg2k (-kdeenablefinal) (-kdeprefix) -kerberos -lzma mmx (multilib) nls -openexr opengl -policykit semantic-desktop -spell sse sse2 ssl -test -zeroconf"
Comment 9 Lars Wendler (Polynomial-C) gentoo-dev 2011-03-10 08:37:00 UTC
+  10 Mar 2011; Lars Wendler <polynomial-c@gentoo.org>
+  files/kdelibs-4.4.5-hostname.patch:
+  Added fixed 4.4.5-hostname.patch (with kind permission from tampakrap).
+
Comment 10 Andreas K. Hüttel gentoo-dev 2011-03-10 11:31:05 UTC
+  10 Mar 2011; Andreas K. Huettel <dilfridge@gentoo.org>
+  kdelibs-4.4.5-r3.ebuild:
+  Keywords added, thanks to Poly-C for testing
+

Arches please test and mark stable kde-base/kdelibs-4.4.5-r3
Target "amd64 ~arm ppc ~ppc64 x86 ~x86-fbsd ~amd64-linux ~x86-linux", 
i.e. stabilization on amd64, ppc, x86

This fixes a security bug.
Comment 11 Agostino Sarubbo gentoo-dev 2011-03-10 17:33:44 UTC
amd64 ok
Comment 12 blain 'Doc' Anderson 2011-03-10 18:44:28 UTC
amd64 appears fine. compile with no problems.
Comment 13 Markos Chandras (RETIRED) gentoo-dev 2011-03-10 19:59:47 UTC
amd64 done. Thanks Agostino
Comment 14 Thomas Kahle (RETIRED) gentoo-dev 2011-03-11 11:39:13 UTC
x86 stable. IMHO if you need testers for stable kde patches it is ok to ask the arch teams (asking me for x86 is OK at least).  We are running stable boxes for testing purposes anyway.
Comment 15 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-13 13:56:07 UTC
ppc stable, last arch done
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2011-03-14 03:04:08 UTC
Thanks, everyone. GLSA Vote: no.
Comment 17 Andreas K. Hüttel gentoo-dev 2011-04-08 19:40:17 UTC
Nothing to do for kde here anymore.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:04:23 UTC
CVE-2011-1094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1094):
  kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not
  properly verify that the server hostname matches the domain name of the
  subject of an X.509 certificate, which allows man-in-the-middle attackers to
  spoof arbitrary SSL servers via a certificate issued by a legitimate
  Certification Authority for an IP address, a different vulnerability than
  CVE-2009-2702.
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:17:26 UTC
Vote: YES. Added to pending GLSA request.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-06-29 20:49:53 UTC
This issue was resolved and addressed in
 GLSA 201406-34 at http://security.gentoo.org/glsa/glsa-201406-34.xml
by GLSA coordinator Mikle Kolyada (Zlogene).