Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 98735 - kde-base/kdelibs Kate backup file permission leak (CAN-2005-1920)
Summary: kde-base/kdelibs Kate backup file permission leak (CAN-2005-1920)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.kde.org/info/security/advi...
Whiteboard: A4 [noglsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-11 22:36 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-07-23 04:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
post-3.4.0-kdelibs-kate.diff (post-3.4.0-kdelibs-kate.diff,2.06 KB, patch)
2005-07-11 22:37 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
post-3.3.2-kdelibs-kate.diff (post-3.3.2-kdelibs-kate.diff,2.16 KB, text/plain)
2005-07-17 18:29 UTC, Carsten Lohrke (RETIRED)
no flags Details
kdelibs-3.3.2-r10.ebuild (kdelibs-3.3.2-r10.ebuild,4.23 KB, text/plain)
2005-07-17 18:30 UTC, Carsten Lohrke (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-11 22:36:38 UTC
KDE Security Advisory: Kate backup file permission leak
Original Release Date: 2005-07-18
URL: http://www.kde.org/info/security/advisory-20050718-1.txt

0. References
	CVE CAN XXXXXXXX
        https://bugs.kde.org/show_bug.cgi?id=103331


1. Systems affected:

        All maintained versions of Kate and Kwrite as shipped with
        KDE up to including 3.4.0. KDE 3.4.1 and newer is not affected.


2. Overview:

	Kate / Kwrite create a file backup before saving a modified
        file. These backup files are created with default permissions,
        even if the original file had more strict permissions set.


3. Impact:

	Depending on the system security settings, backup files
        might be readable by other users.  Kate / Kwrite are
        network transparent applications and therefore this
        vulnerability might not be restricted to local users.


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        A patch for KDE up to including 3.4.0 is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

        50f7bc6d8cf4b7aaa65e4e8062fc46c9  post-3.4.0-kdelibs-kate.diff
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-11 22:37:54 UTC
Created attachment 63200 [details, diff]
post-3.4.0-kdelibs-kate.diff
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-11 22:41:31 UTC
Carlo/Caleb if you want to release this at the coordinated date please attach 
an updated ebuild to this bug. Otherwise we'll start the normal procedure when 
it goes public as this seems to be a minor issue. 
 
If you provide an updated ebuild please do NOT commit anything to the tree. 
Comment 3 Carsten Lohrke (RETIRED) gentoo-dev 2005-07-15 15:33:52 UTC
> If you provide an updated ebuild please do NOT commit anything to the tree.

Huh? I hope committing Jul 18 00:00:00 CEST is o.k., or what do we have to wait
for!?

Imho it should suffice if we fix KDE 3.3, who is still using KDE 3.2 is asked to
upgrade. If you don't think so Caleb, please raise your voice. :)
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-16 00:11:44 UTC
Carlo if you provide an updated ebuild before the 18th please do not commit it   
but instead attach it to this bug and we will call individual arch testers  
(This is the steps we call preebuild and prestable).  
 
Otherwise we could wait  
and just start stable marking on the 18th as this issue seems minor. 
  
On the 18th you can commit after we see the official KDE announcement, which  
is probably not at 00:00:00 UTC  
Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2005-07-17 18:29:25 UTC
Created attachment 63659 [details]
post-3.3.2-kdelibs-kate.diff
Comment 6 Carsten Lohrke (RETIRED) gentoo-dev 2005-07-17 18:30:05 UTC
Created attachment 63660 [details]
kdelibs-3.3.2-r10.ebuild
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-17 22:51:56 UTC
Carlo/Caleb please also provide an updated ebuild for 3.4. When you see the 
official announcement you can commit and comment on this bug. 
Comment 8 Carsten Lohrke (RETIRED) gentoo-dev 2005-07-18 02:09:10 UTC
KDE 3.4.1 is not affected.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-18 06:41:05 UTC
Carlo please commit the updated ebuild. I'll open the bug shortly/open new 
public one. 
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-18 07:20:39 UTC
KDE/Patchers please commit the updated ebuild. 
Comment 11 Carsten Lohrke (RETIRED) gentoo-dev 2005-07-18 09:26:56 UTC
<<< kdelibs-3.3.2-r10.ebuild

herds, would you mark stable, please!? :)
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2005-07-19 01:43:23 UTC
stable on ppc64
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2005-07-19 03:59:05 UTC
ppc stable
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-20 07:01:36 UTC
sparc-a-go-go
Comment 15 Hardave Riar (RETIRED) gentoo-dev 2005-07-20 12:22:49 UTC
Stable on mips.
Comment 16 René Nussbaumer (RETIRED) gentoo-dev 2005-07-20 13:57:30 UTC
Stable on hppa
Comment 17 Herbie Hopkins (RETIRED) gentoo-dev 2005-07-20 15:33:16 UTC
Stable on amd64.
Comment 18 Bryan Østergaard (RETIRED) gentoo-dev 2005-07-22 11:49:59 UTC
Stable on alpha.
Comment 19 Bryan Østergaard (RETIRED) gentoo-dev 2005-07-22 14:58:37 UTC
Stable on ia64.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-23 01:06:50 UTC
This one is ready for GLSA decision. I vote NO. 
Comment 21 Tavis Ormandy (RETIRED) gentoo-dev 2005-07-23 01:50:27 UTC
Also vote NO.
Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-23 04:14:07 UTC
Two NO votes -> Closing with NO GLSA. 
 
Feel free to reopen if you disagree.