65027 – (CVE-2005-0131) VUL-0: CVE-2005-0131: konversation: several vulnerabilities

Bug 65027 (CVE-2005-0131) - VUL-0: CVE-2005-0131: konversation: several vulnerabilities

Summary: VUL-0: CVE-2005-0131: konversation: several vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2005-0131

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2005-0131: CVSS v2 Base Score: 5....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-01-20 21:03 UTC by Thomas Biege
Modified:	2021-11-08 10:16 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patchinfo-box.konversation (571 bytes, text/plain) 2005-01-20 22:03 UTC, Thomas Biege	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Biege 2005-01-20 21:03:19 UTC

Hi, 
some bugs in konversation were posted to the public. 
 
Here are the links: 
http://wouter.coekaerts.be/konversation.html : 
http://wouter.coekaerts.be/files/konversation-parse.diff 
http://wouter.coekaerts.be/files/konversation-quickconnect.diff 
http://wouter.coekaerts.be/files/konversation-scripts.diff 
 
Konversation was not part of SL 8.1, right?

Comment 1 Thomas Biege 2005-01-20 21:03:19 UTC

<!-- SBZ_reproduce  -->
-

Comment 2 Thomas Biege 2005-01-20 22:03:15 UTC

Created attachment 27789 [details]
patchinfo-box.konversation

Comment 3 Thomas Biege 2005-01-25 20:15:11 UTC

Looks like konversation was never part of a maintained product. Please 
correct me if I was wrong. 
 
X-Ref: 
CAN-2005-0129 
CAN-2005-0130 
CAN-2005-0131 
 
http://www.kde.org/info/security/advisory-20050121-1.txt

Comment 4 Joerg Reuter 2005-01-31 22:38:17 UTC

Sorry, I was on vacation for the last three weeks. I'll take care of it ASAP.
Konversation is part of the box product only indeed, and I'll have to look
whether the problem also applies to 0.14 (I don't think so, but I'll check)

Comment 5 Joerg Reuter 2005-02-01 01:34:58 UTC

I just checked: 0.14 (SL 9.2) is also affected by the quick button bug and the
script command injection issue. 0.9 (SL 8.2), 0.12 (SL 9.0) and 0.13 (SL 9.1)
are affected by the quick button bug. Oh dear...

The script command injection issue is a potentially serious one, the quick
button bug is mostly harmless, though. The quick connection bug is probably the
most serious one, but only present in 0.15, which is the version in STABLE. I'll
try to prepare the updates tomorrow.

For the reference numbers:
CAN-2005-0129 buttons (konversation-parse.diff)
CAN-2005-0130 insecure scripts (konversation-scripts.diff)
CAN-2005-0131 quick connect (konversation-quickconnect.diff)

(Just to get the patchinfo right without having to look up what's behind the CAN
numbers)

Comment 6 Joerg Reuter 2005-02-02 03:00:24 UTC

Okay, fixed it for STABLE first due to time constraints. The others will follow.

Comment 7 Joerg Reuter 2005-02-03 01:34:32 UTC

Submitted packages for SL 8.2, 9.0, 9.1 and 9.2 as well as the patchinfo.

Comment 8 Thomas Biege 2005-02-09 06:50:32 UTC

thanks

Comment 9 Thomas Biege 2005-02-09 06:50:53 UTC

reassigned...

Comment 10 Marcus Meissner 2005-02-11 21:07:30 UTC

packages approved (were box only).

Comment 11 Marcus Meissner 2005-02-11 21:35:26 UTC

marking as fixed

Comment 12 Thomas Biege 2009-10-13 20:59:35 UTC

CVE-2005-0131: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)