105588 – VUL-0: kaudiocreator allows to overwrite arbitrary files

Bug 105588 - VUL-0: kaudiocreator allows to overwrite arbitrary files

Summary: VUL-0: kaudiocreator allows to overwrite arbitrary files

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE LINUX 10.0
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Beta 2
Hardware:	Other All

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:	patchinfos submitted
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-08-18 15:30 UTC by Dirk Mueller
Modified:	2005-10-06 17:05 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Mueller 2005-08-18 15:30:27 UTC

There's a bug in kaudiocreator that allows to overwrite arbitrary files with 
audio content if CDDB lookup is used (by default) and the CDDB entry contains 
a title similiar to "/../../somefile" 
 
Although this smells like shell command injection, its not. the file names are 
properly quoted, except that it forgets to filter '/'.  
 
is this something that is worth patching? Bug is in all KDE 3.x releases

Comment 1 Dirk Mueller 2005-08-18 15:31:20 UTC

forgot to mention that this came via KDE security, but we believe its not 
worth an advisory, we're however going to patch older revisions (current 
development is already fixed for several months) anyway.

Comment 2 Thomas Biege 2005-08-19 07:50:17 UTC

I tend to vote for updating older version too because this bug can be used for
attacking a wide range of users easily.

Comment 3 Sebastian Krahmer 2005-09-05 11:14:19 UTC

ping

Comment 4 Dirk Mueller 2005-09-05 11:18:58 UTC

ok, so you want an update? looking

Comment 5 Dirk Mueller 2005-09-05 11:28:17 UTC

do we treat it as security problem? I want to know who is writing the 
patchinfo..

Comment 6 Thomas Biege 2005-09-05 11:54:24 UTC

Yes let's tag is "security".

Comment 7 Thomas Biege 2005-09-05 12:15:55 UTC

Let me know if you are done submitting the packages I'll do the rest

Comment 8 Dirk Mueller 2005-09-05 13:32:16 UTC

stable and 9.3 submitted, 9.2 is currently under test. this bug is KDE >= 
3.3.2 only so no other version (sles or similiar) is affected.

Comment 9 Thomas Biege 2005-09-05 14:09:35 UTC

Maintenance-Tracker-2216

Comment 10 Dirk Mueller 2005-09-05 21:38:17 UTC

9.2, 9.3 and stable submitted. needs update on x86/x86_64

Comment 11 Thomas Biege 2005-09-06 07:05:54 UTC

Thanks.

/work/src/done/PATCHINFO/patchinfo-box.kmulmi

Comment 12 Thomas Biege 2005-09-08 10:45:38 UTC

approved