Bug 55560 (CVE-2004-0411)

Summary: VUL-0: CVE-2004-0411: telnet:// patch for kdelibs
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: E-mail List <kde-maintainers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0411: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: first patch
second patch
3rd patch
patchinfo
patchinfo for box
patchinfo for SLES7 mailto

Description Sebastian Krahmer 2004-05-14 16:53:19 UTC 
Date: Fri, 14 May 2004 00:19:56 +0200
From: Waldo Bastian <bastian@kde.org>
To: kde-packager@kde.org, vendor-sec@lst.de
Cc: security@kde.org, kde-maintainers@suse.de
Subject: [vendor-sec] [PRENOTIFICATION] KDE Security Advisory: Telnet URI
    Handler File Vulnerability
Parts/Attachments:
   1 Shown   ~94 lines  Text
   2   OK     26 lines  Text
   3   OK     29 lines  Text
   4   OK     29 lines  Text
----------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The following security advisory will be released on Monday, May 17. Patches 
will be published on the ftp site on monday and have been attached to this 
e-mail.

Cheers,
Waldo
- -- 
bastian@kde.org  |   Novell BrainShare Europe 2004   |  bastian@suse.com
bastian@kde.org  | 12-18 September, Barcelona, Spain |  bastian@suse.com


KDE Security Advisory: Telnet URI Handler File Vulnerability
Original Release Date: 2004-05-17
URL: http://www.kde.org/info/security/advisory-20040517-1.txt

0. References

       http://www.idefense.com/application/poi/display?id=104
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411


1. Systems affected:

        All versions of KDE up to KDE 3.2.2 inclusive. 


2. Overview:

        iDEFENSE identified a vulnerability in the Opera Web Browser
        that could allow remote attackers to create or truncate
        arbitrary files. The KDE team has found that a similar
        vulnerability exists in KDE.

        The problem specifically exists within the telnet URI handler.
        The telnet handler does not check for '-' at the beginning of
        the hostname passed through the handler, which lets options pass
        to the telnet program, allowing file creation or overwriting.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0411 to this issue.


3. Impact:

        A remote attacker could entice a user to open a carefully crafted
        telnet URI which may either create or truncate a file in the
        victims home directory. In KDE 3.2 and later versions the user
        is first explicitly asked to confirm the opening of the telnet URI.


4. Solution:

        As a workaround, remove the telnet.protocol file.


5. Patch:

        A patch for KDE 3.0.5b is available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  eaf9237b3af56b3b01df966b13fe2714  post-3.0.5b-kdelibs-ktelnetservice.patch

        A patch for KDE 3.1.5 is available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  bde52aa0bba055c4f678540ec20bfe5a  post-3.1.5-kdelibs-ktelnetservice.patch

        A patch for KDE 3.2.2 is available from
        ftp://ftp.kde.org/pub/kde/security_patches : 


  52e0e955204a77781505d33b9a3c341d  post-3.2.2-kdelibs-ktelnetservice.patch


6. Time line and credits:

        02/04/2003 Exploit acquired by iDEFENSE
       12/05/2004 Public disclosure of Opera vulnerability
        13/05/2004 KDE Team informed by Martin Ostertag
       13/05/2004 Patches created
       14/05/2004 Vendors notified
        17/05/2004 Public advisory

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFAo/SMN4pvrENfboIRAuD0AJ9rMXS9Xu/xNXNEdGFuHTNPy4V0egCfUyM4
UrmeDwq5YcWmGJk9s9eH86k=
=sKz0
Comment 1 Sebastian Krahmer 2004-05-14 16:53:19 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Sebastian Krahmer 2004-05-14 16:54:15 UTC 
Created attachment 19604 [details]
first patch

...
Comment 3 Sebastian Krahmer 2004-05-14 16:54:46 UTC 
Created attachment 19605 [details]
second patch

...
Comment 4 Sebastian Krahmer 2004-05-14 16:55:15 UTC 
Created attachment 19606 [details]
3rd patch

...
Comment 5 Roman Drahtmueller 2004-05-14 18:58:38 UTC 
This is going to be public on Monday next week. Adrian, when do you think will
there be packages available for testing, at least?

Thanks,
Roman.
Comment 6 Adrian Schröter 2004-05-14 19:27:46 UTC 
I start to work on this now ...  
so, I guess it should be possible.
Comment 7 Adrian Schröter 2004-05-14 23:47:21 UTC 
jfyi, Waldo fixed also a possible missuse of email address, which were given to 
kmail as direct argument. 
 
9.1 package is submitted, rest will follow tomorrow.
Comment 8 Sebastian Krahmer 2004-05-17 17:52:06 UTC 
So, the mailto handler has been fixed too? Nice. Which distros are affected?
Anything that edit_patchinfo creates for the kdelibs3 package?
Comment 9 Adrian Schröter 2004-05-17 18:01:34 UTC 
the mailto handler was in all (SLES7-9.1). 
 
the telnet issue was only in all KDE 3 based distros (8.0-9.1 + SLES8), because 
we disabled the telnet and rlogin protocol in former security updates for SLES7
Comment 10 Sebastian Krahmer 2004-05-17 18:05:10 UTC 
So, the patchinfos I submitted should be ok. Could you please have a look,
they are mode 0666...
I will also append them here now.
Comment 11 Sebastian Krahmer 2004-05-17 18:05:52 UTC 
Created attachment 19718 [details]
patchinfo

...
Comment 12 Sebastian Krahmer 2004-05-17 18:06:22 UTC 
Created attachment 19719 [details]
patchinfo for box

...
Comment 13 Adrian Schröter 2004-05-17 18:07:35 UTC 
patchinfos for "kdelibs" (KDE 2.x) for SLES 7 are missing
Comment 14 Sebastian Krahmer 2004-05-17 18:15:25 UTC 
Created attachment 19720 [details]
patchinfo for SLES7 mailto

Submitted. Please have a look.
Text slightly changed to reflect mailto: instead of telnet://
and kdelibs instead of kdelibs3.
Comment 15 Sebastian Krahmer 2004-05-26 19:45:52 UTC 
Announced in SuSE-SA:2004:014
Comment 16 Sebastian Krahmer 2004-05-26 19:46:17 UTC 
...
Comment 17 Thomas Biege 2009-10-13 20:22:10 UTC 
CVE-2004-0411: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)