Bugzilla – Bug 55560
VUL-0: CVE-2004-0411: telnet:// patch for kdelibs
Last modified: 2021-10-12 13:30:38 UTC
Date: Fri, 14 May 2004 00:19:56 +0200 From: Waldo Bastian <bastian@kde.org> To: kde-packager@kde.org, vendor-sec@lst.de Cc: security@kde.org, kde-maintainers@suse.de Subject: [vendor-sec] [PRENOTIFICATION] KDE Security Advisory: Telnet URI Handler File Vulnerability Parts/Attachments: 1 Shown ~94 lines Text 2 OK 26 lines Text 3 OK 29 lines Text 4 OK 29 lines Text ---------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following security advisory will be released on Monday, May 17. Patches will be published on the ftp site on monday and have been attached to this e-mail. Cheers, Waldo - -- bastian@kde.org | Novell BrainShare Europe 2004 | bastian@suse.com bastian@kde.org | 12-18 September, Barcelona, Spain | bastian@suse.com KDE Security Advisory: Telnet URI Handler File Vulnerability Original Release Date: 2004-05-17 URL: http://www.kde.org/info/security/advisory-20040517-1.txt 0. References http://www.idefense.com/application/poi/display?id=104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411 1. Systems affected: All versions of KDE up to KDE 3.2.2 inclusive. 2. Overview: iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that a similar vulnerability exists in KDE. The problem specifically exists within the telnet URI handler. The telnet handler does not check for '-' at the beginning of the hostname passed through the handler, which lets options pass to the telnet program, allowing file creation or overwriting. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0411 to this issue. 3. Impact: A remote attacker could entice a user to open a carefully crafted telnet URI which may either create or truncate a file in the victims home directory. In KDE 3.2 and later versions the user is first explicitly asked to confirm the opening of the telnet URI. 4. Solution: As a workaround, remove the telnet.protocol file. 5. Patch: A patch for KDE 3.0.5b is available from ftp://ftp.kde.org/pub/kde/security_patches : eaf9237b3af56b3b01df966b13fe2714 post-3.0.5b-kdelibs-ktelnetservice.patch A patch for KDE 3.1.5 is available from ftp://ftp.kde.org/pub/kde/security_patches : bde52aa0bba055c4f678540ec20bfe5a post-3.1.5-kdelibs-ktelnetservice.patch A patch for KDE 3.2.2 is available from ftp://ftp.kde.org/pub/kde/security_patches : 52e0e955204a77781505d33b9a3c341d post-3.2.2-kdelibs-ktelnetservice.patch 6. Time line and credits: 02/04/2003 Exploit acquired by iDEFENSE 12/05/2004 Public disclosure of Opera vulnerability 13/05/2004 KDE Team informed by Martin Ostertag 13/05/2004 Patches created 14/05/2004 Vendors notified 17/05/2004 Public advisory -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAo/SMN4pvrENfboIRAuD0AJ9rMXS9Xu/xNXNEdGFuHTNPy4V0egCfUyM4 UrmeDwq5YcWmGJk9s9eH86k= =sKz0
<!-- SBZ_reproduce --> ...
Created attachment 19604 [details] first patch ...
Created attachment 19605 [details] second patch ...
Created attachment 19606 [details] 3rd patch ...
This is going to be public on Monday next week. Adrian, when do you think will there be packages available for testing, at least? Thanks, Roman.
I start to work on this now ... so, I guess it should be possible.
jfyi, Waldo fixed also a possible missuse of email address, which were given to kmail as direct argument. 9.1 package is submitted, rest will follow tomorrow.
So, the mailto handler has been fixed too? Nice. Which distros are affected? Anything that edit_patchinfo creates for the kdelibs3 package?
the mailto handler was in all (SLES7-9.1). the telnet issue was only in all KDE 3 based distros (8.0-9.1 + SLES8), because we disabled the telnet and rlogin protocol in former security updates for SLES7
So, the patchinfos I submitted should be ok. Could you please have a look, they are mode 0666... I will also append them here now.
Created attachment 19718 [details] patchinfo ...
Created attachment 19719 [details] patchinfo for box ...
patchinfos for "kdelibs" (KDE 2.x) for SLES 7 are missing
Created attachment 19720 [details] patchinfo for SLES7 mailto Submitted. Please have a look. Text slightly changed to reflect mailto: instead of telnet:// and kdelibs instead of kdelibs3.
Announced in SuSE-SA:2004:014
...
CVE-2004-0411: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)