Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 89092 - kde-base/kdewebdev - Kommander untrusted code execution
Summary: kde-base/kdewebdev - Kommander untrusted code execution
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsaupdate] jaervosz
Depends on:
Reported: 2005-04-14 07:36 UTC by Carsten Lohrke (RETIRED)
Modified: 2005-07-07 22:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2005-04-14 07:36:38 UTC
from the advisory draft:

20/04/2005 Coordinated Public Disclosure

1. Systems affected:

        Quanta 3.1.x, KDE 3.2 and new up to including KDE 3.4.0.

2. Overview:

        Kommander is a visual editor and interpreter to edit and
        interpret visual dialogs and execute scripts attached to
        dialog actions. 

        Kommander executes without user confirmation data files
        from possibly untrusted locations. As they contain 
        scripts, the user might accidentally run arbitrary code.

3. Impact:

        Remotly supplied kommander files from untrusted sources
        are executed without confirmation. 

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2005-04-19 17:04:59 UTC
<<< kdewebdev-3.3.2-r1

Arch herds, please mark stable. Thanks! :)

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-19 22:30:39 UTC
Arches can't access restricted bugs -> uncc'ing arches and cc'ing individual devs. (We'll handle it public later today if we see any advisories.)

Please test and mark kdewebdev-3.3.2-r1 stable.

alpha: kloeri
amd64: absinthe
ppc: pylon
ppc64: corsair
sparc: weeve
x86: tester
mips: hardave
hppa: gmsoft
ia64: ?

If you are not able to mark stable please cc another dev for your arch.

Comment 3 Olivier Crete (RETIRED) gentoo-dev 2005-04-19 22:42:30 UTC
x86 is already stable.. (you're lucky since I dont have kde ;)
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2005-04-19 23:44:06 UTC
stable on ppc64
Comment 5 Jason Wever (RETIRED) gentoo-dev 2005-04-20 06:03:42 UTC
Stable on SPARC.
Comment 6 Carsten Lohrke (RETIRED) gentoo-dev 2005-04-20 09:04:40 UTC
Sune: Sorry, I thought we can immediatly open when the discosure date is met. Would it be possible to establish a always up to date arch/security contact list I can grab with a script?

cc'd cryos for amd64 since he has time, agriffis for ia64 (and alpha maybe)
Comment 7 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-04-20 09:57:10 UTC
Stable on amd64.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-20 13:59:56 UTC
Stable on alpha + ia64.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-21 23:00:27 UTC
This is public now -> opening.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-21 23:04:30 UTC
Ehh sorry, now it is open. Sorry for the spam.
Comment 11 John Myers 2005-04-22 11:35:36 UTC
The GLEP should probably mention the split-out kommander as well as the monolithic one.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2005-04-22 13:18:27 UTC

but sounds correct, kde-base/kommander was also fixed with 3.4.0-r1
It has been ~arch masked though.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-23 00:27:21 UTC
The KDE split ebuilds are not stable yet and therefor not mentioned. Until we have a better staffing situtation we do not issue GLSAs about unstable packages.

See Non-stable packages in the first chapter of the Vulnerability Policy:
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-23 00:27:46 UTC
GLSA 200504-23

mips, hppa remember to mark stable to benifit from GLSA.
Comment 15 Carsten Lohrke (RETIRED) gentoo-dev 2005-05-02 17:25:11 UTC
There's a bug in the original patch, causing a trailing / to be stripped, so e.g. not only /tmp/foo, but /tmpfoo would cause a temp directory warning as well. 

This is a minor issue, but it would be nice, if you would mark 

<<< kdewebdev-3.3.2-r2.ebuild

stable as well. The guys plan to update their advisory. Don't know, if we do in such a case.

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-02 22:03:12 UTC
Thx Carlo. Arches please test and mark stable.

We'll update our GLSA but not issue an update as the security issue is fixed already.
Comment 17 Jan Brinkmann (RETIRED) gentoo-dev 2005-05-03 08:05:35 UTC
stable on amd64
Comment 18 Jason Wever (RETIRED) gentoo-dev 2005-05-03 09:10:53 UTC
Comment 19 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-03 13:08:05 UTC
Stable on ppc.
Comment 20 Carsten Lohrke (RETIRED) gentoo-dev 2005-05-03 16:41:08 UTC
Um, my 2 o'clock in the mornin' brain just doesn't work. :( The url to test got stripped, so the test wouldn't succeed, leaving the door wide open - as far as anyone is using kommander scripts.

An updated advisory regarding this bug and Bug 88862 follows later today. 
Comment 21 Markus Rothe (RETIRED) gentoo-dev 2005-05-04 09:36:00 UTC
stable on ppc64
Comment 22 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-05 00:20:44 UTC
Stable on alpha + ia64.
Comment 23 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-05 04:21:11 UTC
Stable on hppa.
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-07 10:51:04 UTC
Carlo is this ready to be closed again now?
Comment 25 Carsten Lohrke (RETIRED) gentoo-dev 2005-05-07 11:11:54 UTC
Up to you Sune. No GLSA update in order?
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2005-05-15 08:15:09 UTC
Time for a GLSA update...
Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-15 08:49:32 UTC
As far as I understand the latest patch, it's just an extra/wrong warning. So no security issue. So I'll close it without a GLSA update. 
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-19 23:59:34 UTC
I was wrong it apparently is an issue, reopening for GLSA update.

The Kommander patch was incorrect and still allowed execution of files served from /tmp.
Comment 29 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-20 05:53:34 UTC
Comment 30 Thierry Carrez (RETIRED) gentoo-dev 2005-05-20 10:52:59 UTC
Then we close it.
Comment 31 Hardave Riar (RETIRED) gentoo-dev 2005-07-07 22:46:55 UTC
Stable on mips.