Bug 65027 (CVE-2005-0131)

Summary: VUL-0: CVE-2005-0131: konversation: several vulnerabilities
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0131: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo-box.konversation

Description Thomas Biege 2005-01-20 21:03:19 UTC 
Hi, 
some bugs in konversation were posted to the public. 
 
Here are the links: 
http://wouter.coekaerts.be/konversation.html : 
http://wouter.coekaerts.be/files/konversation-parse.diff 
http://wouter.coekaerts.be/files/konversation-quickconnect.diff 
http://wouter.coekaerts.be/files/konversation-scripts.diff 
 
Konversation was not part of SL 8.1, right?
Comment 1 Thomas Biege 2005-01-20 21:03:19 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2005-01-20 22:03:15 UTC 
Created attachment 27789 [details]
patchinfo-box.konversation
Comment 3 Thomas Biege 2005-01-25 20:15:11 UTC 
Looks like konversation was never part of a maintained product. Please 
correct me if I was wrong. 
 
X-Ref: 
CAN-2005-0129 
CAN-2005-0130 
CAN-2005-0131 
 
http://www.kde.org/info/security/advisory-20050121-1.txt
Comment 4 Joerg Reuter 2005-01-31 22:38:17 UTC 
Sorry, I was on vacation for the last three weeks. I'll take care of it ASAP.
Konversation is part of the box product only indeed, and I'll have to look
whether the problem also applies to 0.14 (I don't think so, but I'll check)
Comment 5 Joerg Reuter 2005-02-01 01:34:58 UTC 
I just checked: 0.14 (SL 9.2) is also affected by the quick button bug and the
script command injection issue. 0.9 (SL 8.2), 0.12 (SL 9.0) and 0.13 (SL 9.1)
are affected by the quick button bug. Oh dear...

The script command injection issue is a potentially serious one, the quick
button bug is mostly harmless, though. The quick connection bug is probably the
most serious one, but only present in 0.15, which is the version in STABLE. I'll
try to prepare the updates tomorrow.

For the reference numbers:
CAN-2005-0129 buttons (konversation-parse.diff)
CAN-2005-0130 insecure scripts (konversation-scripts.diff)
CAN-2005-0131 quick connect (konversation-quickconnect.diff)

(Just to get the patchinfo right without having to look up what's behind the CAN
numbers)
Comment 6 Joerg Reuter 2005-02-02 03:00:24 UTC 
Okay, fixed it for STABLE first due to time constraints. The others will follow.
Comment 7 Joerg Reuter 2005-02-03 01:34:32 UTC 
Submitted packages for SL 8.2, 9.0, 9.1 and 9.2 as well as the patchinfo.
Comment 8 Thomas Biege 2005-02-09 06:50:32 UTC 
thanks
Comment 9 Thomas Biege 2005-02-09 06:50:53 UTC 
reassigned...
Comment 10 Marcus Meissner 2005-02-11 21:07:30 UTC 
packages approved (were box only).
Comment 11 Marcus Meissner 2005-02-11 21:35:26 UTC 
marking as fixed
Comment 12 Thomas Biege 2009-10-13 20:59:35 UTC 
CVE-2005-0131: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)