Please stabilize - kde-base/kget-4.3.3-r1 (hppa)
Please stabilize - kde-base/kget-4.3.5-r1 (all archs except hppa)
(also fixed in kde-base/kget-4.4.3-r1 - remains ~arch)
KDE Security Advisory: KGet Directory Traversal and Insecure File Operation
Original Release Date: 2010-05-13
1. Systems affected:
KGet as shipped with KDE SC 4.0.0 up to including KDE SC 4.4.3. Earlier
versions of KDE SC may also be affected.
1) The "name" attribute of the "file" element of metalink files is not
properly sanitized before being used to download files. If a user is
tricked into downloading from a specially-crafted metalink file, this can
be exploited to download files to directories outside of the intended
download directory via directory traversal attacks. (CVE-2010-1000)
2) In some versions of KGet (2.4.2) a dialog box is displayed allowing the
user to choose the file to download out of the options offered by the
metalink file. However, KGet will simply go ahead and start the download
after some time - even without prior acknowledgment of the user, and
overwriting already-existing files of the same name. (CVE-2010-1511)
The vulnerabilities were reported by and the above text provided by Stefan
Cornelius of Secunia Research.
1) Files may be created or overwritten in directories outside of a user's
intended download directory.
2) Files may be created or overwritten in a user's intended download
directory without acknowledgement of the user.
Source code patches have been made available which fix these
vulnerabilities. At the time of this writing most OS vendor / binary
package providers should have updated binary packages. Contact your OS
vendor / binary package provider for information about how to obtain
updated binary packages.
Patches have been committed to the KDE Subversion repository in the
following revision numbers:
4.3 branch: r1126227
4.4 branch: r1124974
Patches for KDE SC 4.3 and KDE SC 4.4 may be obtained directory from the
Subversion repository (no checkout needed) with the following command and
reference SHA1 sums:
4.3 branch: dc1b2af664fb4c74c018e9c6b02859b5c42ecd65
svn diff -r 1126226:1126227 \
4.4 branch: 3ed1b2333ba324e1fc6c1994cef1715eb0b6f457
svn diff -r 1124973:1124974 \
Rating; adapting whiteboard, summary and severity.
alpha/ia64/sparc don't have kde stable yet
Directory traversal vulnerability in KGet in KDE SC 4.0.0 through
4.4.3 allows remote attackers to create arbitrary files via directory
traversal sequences in the name attribute of a file element in a
KGet 2.4.2 in KDE SC 4.0.0 through 4.4.3 does not properly request
download confirmation from the user, which makes it easier for remote
attackers to overwrite arbitrary files via a crafted metalink file.
neither does ppc64
Marked ppc stable, removing ppc64 since it doesn't have a stable kde4.
Is fixed in 4.4.4
ready for glsa
GLSA Vote: yes.
Vote: YES, glsa request filed.
removing KDE, CC us back if you need anything
<kget-4.3.5 long gone from tree..
This issue was resolved and addressed in
GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).