from the advisory draft:
20/04/2005 Coordinated Public Disclosure
1. Systems affected:
Quanta 3.1.x, KDE 3.2 and new up to including KDE 3.4.0.
Kommander is a visual editor and interpreter to edit and
interpret visual dialogs and execute scripts attached to
Kommander executes without user confirmation data files
from possibly untrusted locations. As they contain
scripts, the user might accidentally run arbitrary code.
Remotly supplied kommander files from untrusted sources
are executed without confirmation.
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
Arch herds, please mark stable. Thanks! :)
Arches can't access restricted bugs -> uncc'ing arches and cc'ing individual devs. (We'll handle it public later today if we see any advisories.)
Please test and mark kdewebdev-3.3.2-r1 stable.
If you are not able to mark stable please cc another dev for your arch.
x86 is already stable.. (you're lucky since I dont have kde ;)
stable on ppc64
Stable on SPARC.
Sune: Sorry, I thought we can immediatly open when the discosure date is met. Would it be possible to establish a always up to date arch/security contact list I can grab with a script?
cc'd cryos for amd64 since he has time, agriffis for ia64 (and alpha maybe)
Stable on amd64.
Stable on alpha + ia64.
This is public now -> opening.
Ehh sorry, now it is open. Sorry for the spam.
The GLEP should probably mention the split-out kommander as well as the monolithic one.
but sounds correct, kde-base/kommander was also fixed with 3.4.0-r1
It has been ~arch masked though.
The KDE split ebuilds are not stable yet and therefor not mentioned. Until we have a better staffing situtation we do not issue GLSAs about unstable packages.
See Non-stable packages in the first chapter of the Vulnerability Policy:
mips, hppa remember to mark stable to benifit from GLSA.
There's a bug in the original patch, causing a trailing / to be stripped, so e.g. not only /tmp/foo, but /tmpfoo would cause a temp directory warning as well.
This is a minor issue, but it would be nice, if you would mark
stable as well. The kde.org guys plan to update their advisory. Don't know, if we do in such a case.
Thx Carlo. Arches please test and mark stable.
We'll update our GLSA but not issue an update as the security issue is fixed already.
stable on amd64
Stable on ppc.
Um, my 2 o'clock in the mornin' brain just doesn't work. :( The url to test got stripped, so the test wouldn't succeed, leaving the door wide open - as far as anyone is using kommander scripts.
An updated kde.org advisory regarding this bug and Bug 88862 follows later today.
Stable on hppa.
Carlo is this ready to be closed again now?
Up to you Sune. No GLSA update in order?
Time for a GLSA update...
As far as I understand the latest patch, it's just an extra/wrong warning. So no security issue. So I'll close it without a GLSA update.
I was wrong it apparently is an issue, reopening for GLSA update.
The Kommander patch was incorrect and still allowed execution of files served from /tmp.
GLSA UPDATE sent.
Then we close it.
Stable on mips.