KDE Security Advisory: Kate backup file permission leak Original Release Date: 2005-07-18 URL: http://www.kde.org/info/security/advisory-20050718-1.txt 0. References CVE CAN XXXXXXXX https://bugs.kde.org/show_bug.cgi?id=103331 1. Systems affected: All maintained versions of Kate and Kwrite as shipped with KDE up to including 3.4.0. KDE 3.4.1 and newer is not affected. 2. Overview: Kate / Kwrite create a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. 3. Impact: Depending on the system security settings, backup files might be readable by other users. Kate / Kwrite are network transparent applications and therefore this vulnerability might not be restricted to local users. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: A patch for KDE up to including 3.4.0 is available from ftp://ftp.kde.org/pub/kde/security_patches : 50f7bc6d8cf4b7aaa65e4e8062fc46c9 post-3.4.0-kdelibs-kate.diff
Created attachment 63200 [details, diff] post-3.4.0-kdelibs-kate.diff
Carlo/Caleb if you want to release this at the coordinated date please attach an updated ebuild to this bug. Otherwise we'll start the normal procedure when it goes public as this seems to be a minor issue. If you provide an updated ebuild please do NOT commit anything to the tree.
> If you provide an updated ebuild please do NOT commit anything to the tree. Huh? I hope committing Jul 18 00:00:00 CEST is o.k., or what do we have to wait for!? Imho it should suffice if we fix KDE 3.3, who is still using KDE 3.2 is asked to upgrade. If you don't think so Caleb, please raise your voice. :)
Carlo if you provide an updated ebuild before the 18th please do not commit it but instead attach it to this bug and we will call individual arch testers (This is the steps we call preebuild and prestable). Otherwise we could wait and just start stable marking on the 18th as this issue seems minor. On the 18th you can commit after we see the official KDE announcement, which is probably not at 00:00:00 UTC
Created attachment 63659 [details] post-3.3.2-kdelibs-kate.diff
Created attachment 63660 [details] kdelibs-3.3.2-r10.ebuild
Carlo/Caleb please also provide an updated ebuild for 3.4. When you see the official announcement you can commit and comment on this bug.
KDE 3.4.1 is not affected.
Carlo please commit the updated ebuild. I'll open the bug shortly/open new public one.
KDE/Patchers please commit the updated ebuild.
<<< kdelibs-3.3.2-r10.ebuild herds, would you mark stable, please!? :)
stable on ppc64
ppc stable
sparc-a-go-go
Stable on mips.
Stable on hppa
Stable on amd64.
Stable on alpha.
Stable on ia64.
This one is ready for GLSA decision. I vote NO.
Also vote NO.
Two NO votes -> Closing with NO GLSA. Feel free to reopen if you disagree.