504994 – (CVE-2014-2527) <kde-misc/kdirstat-2.7.5 : insufficient quote escaping leading to arbitrary command execution (CVE-2014-{2527,2528})

Bug 504994 (CVE-2014-2527) - <kde-misc/kdirstat-2.7.5 : insufficient quote escaping leading to arbitrary command execution (CVE-2014-{2527,2528})

Summary: <kde-misc/kdirstat-2.7.5 : insufficient quote escaping leading to arbitrary c...

Status:	RESOLVED FIXED

Alias:	CVE-2014-2527

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-03-18 16:52 UTC by Agostino Sarubbo
Modified:	2014-10-13 20:36 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-03-18 16:52:59 UTC

From ${URL} :

Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) 
tool did not correctly escape quotes when deleting a directory 
permanently. Attempting to use KDirStat to permanently delete a 
directory that has a malicious name could result in arbitrary command 
execution.

Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659

The Debian report is about single quotes. On Fedora 
(https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were 
needed.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Johannes Huber (RETIRED) gentoo-dev

2014-03-18 17:10:10 UTC

Version bumped. Go ahead with stabilization.

+*kdirstat-2.7.5 (18 Mar 2014)
+
+  18 Mar 2014; Johannes Huber <johu@gentoo.org> +kdirstat-2.7.5.ebuild:
+  Version bump wrt bug #504994.
+

Comment 2 Agostino Sarubbo gentoo-dev

2014-03-18 19:57:16 UTC

Arches, please test and mark stable:
=kde-misc/kdirstat-2.7.5
Target keywords : "amd64 x86"

Comment 3 Agostino Sarubbo gentoo-dev

2014-03-19 13:39:42 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2014-03-19 13:39:56 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 5 Michael Palimaka (kensington) gentoo-dev

2014-03-19 13:44:06 UTC

+  19 Mar 2014; Michael Palimaka <kensington@gentoo.org> -kdirstat-2.7.3.ebuild:
+  Remove old version vulnerable to CVE-2014-2527 wrt bug #504994.

Comment 6 Johannes Huber (RETIRED) gentoo-dev

2014-03-19 16:20:47 UTC

Thanks all. Removing kde from cc as it is nothing to do for us anymore.

Comment 7 Sergey Popov gentoo-dev

2014-03-21 08:43:08 UTC

GLSA request filed

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2014-06-15 17:14:52 UTC

This issue was resolved and addressed in
 GLSA 201406-15 at http://security.gentoo.org/glsa/glsa-201406-15.xml
by GLSA coordinator Mikle Kolyada (Zlogene).

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2014-10-13 20:36:00 UTC

CVE-2014-2528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2528):
  kcleanup.cpp in KDirStat 2.7.3 does not properly quote strings when deleting
  a directory, which allows remote attackers to execute arbitrary commands via
  a ' (single quote) character in the directory name, a different
  vulnerability than CVE-2014-2527.

CVE-2014-2527 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2527):
  kcleanup.cpp in KDirStat 2.7.0 does not properly quote strings when deleting
  a directory, which allows remote attackers to execute arbitrary commands via
  a " (double quote) character in the directory name, a different
  vulnerability than CVE-2014-2528.