[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#294204: marked as done (konqueror: IDN URL Spoofing)

Your message dated Mon, 28 Feb 2005 09:50:59 -0500
with message-id <E1D5mEd-0002dQ-00@newraff.debian.org>
and subject line Bug#294204: fixed in kdelibs 4:3.3.2-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 8 Feb 2005 13:24:36 +0000
>From csmiller@iname.com Tue Feb 08 05:24:35 2005
Return-path: <csmiller@iname.com>
Received: from angel.picsel.com (morbus.picsel.com) [212.137.21.218] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CyVM3-0002cq-00; Tue, 08 Feb 2005 05:24:35 -0800
Received: by morbus.picsel.com (Postfix, from userid 1001)
	id 0A676D396A; Tue,  8 Feb 2005 13:24:33 +0000 (GMT)
Received: from angel.picsel.com (angel.picsel.com [195.171.216.1])
	by morbus.picsel.com (Postfix) with ESMTP
	id 3730480E8D; Tue,  8 Feb 2005 13:24:17 +0000 (GMT)
Received: from baloo.picsel.com (baloo.picsel.com [195.171.216.55])
	by angel.picsel.com (Postfix) with ESMTP
	id C1A6584060; Tue,  8 Feb 2005 13:24:16 +0000 (GMT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Colin S. Miller" <csmiller@iname.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: konqueror: IDN URL Spoofing
upstream: http://bugs.kde.org/show_bug.cgi?id=98788
X-Mailer: reportbug 3.2
Date: Tue, 08 Feb 2005 13:24:15 +0000
Message-Id: <[🔎] 20050208132416.C1A6584060@angel.picsel.com>
X-Virus-Scanned: by AMaViS snapshot-20010714
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: konqueror
Version: 4:3.3.2-1
Severity: normal

http://www.shmoo.com/idn/ shows a proof-of-concept attack
against konqueror amongst other browsers (konqueror isn't
explicatly listed as vulnable).

The basic attack is using homographs in URLs
(two characters from different Unicode pages which
look different but are for different roles).

The upstream authors are marking this as 'wish-list',
but other browsers are handling this as serious.

They are also indicating that this may be
reassigned to kde-core, please reassign here if
required.

Colin S. Miller


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-386
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages konqueror depends on:
ii  kcontrol                 4:3.3.2-1       KDE Control Center
ii  kdebase-kio-plugins      4:3.3.2-1       KDE I/O Slaves
ii  kdelibs4                 4:3.3.2-1       KDE core libraries
ii  kdesktop                 4:3.3.2-1       KDE Desktop
ii  kfind                    4:3.3.2-1       KDE File Find Utility
ii  libart-2.0-2             2.3.16-6        Library of functions for 2D graphi
ii  libc6                    2.3.2.ds1-20    GNU C Library: Shared libraries an
ii  libfam0c102              2.7.0-6         client library to control the FAM 
ii  libgcc1                  1:3.4.3-6       GCC support library
ii  libice6                  4.3.0.dfsg.1-10 Inter-Client Exchange library
ii  libidn11                 0.5.2-3         GNU libidn library, implementation
ii  libjpeg62                6b-9            The Independent JPEG Group's JPEG 
ii  libkonq4                 4:3.3.2-1       Core libraries for KDE's file mana
ii  libpcre3                 4.5-1.1         Perl 5 Compatible Regular Expressi
ii  libpng12-0               1.2.8rel-1      PNG library - runtime
ii  libqt3c102-mt            3:3.3.3-8       Qt GUI Library (Threaded runtime v
ii  libsm6                   4.3.0.dfsg.1-10 X Window System Session Management
ii  libstdc++5               1:3.3.5-5       The GNU Standard C++ Library v3
ii  libx11-6                 4.3.0.dfsg.1-10 X Window System protocol client li
ii  libxext6                 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii  libxrender1              0.8.3-7         X Rendering Extension client libra
ii  xlibs                    4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii  zlib1g                   1:1.2.2-3       compression library - runtime

-- no debconf information

---------------------------------------
Received: (at 294204-close) by bugs.debian.org; 28 Feb 2005 14:53:51 +0000
>From katie@ftp-master.debian.org Mon Feb 28 06:53:51 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D5mHP-0001iN-00; Mon, 28 Feb 2005 06:53:51 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1D5mEd-0002dQ-00; Mon, 28 Feb 2005 09:50:59 -0500
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: 294204-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#294204: fixed in kdelibs 4:3.3.2-3
Message-Id: <E1D5mEd-0002dQ-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Mon, 28 Feb 2005 09:50:59 -0500
Delivered-To: 294204-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 2

Source: kdelibs
Source-Version: 4:3.3.2-3

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.3.2-3_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-3_i386.deb
kdelibs-data_3.3.2-3_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-3_all.deb
kdelibs4-dev_3.3.2-3_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-3_i386.deb
kdelibs4-doc_3.3.2-3_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-3_all.deb
kdelibs4_3.3.2-3_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-3_i386.deb
kdelibs_3.3.2-3.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-3.diff.gz
kdelibs_3.3.2-3.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-3.dsc
kdelibs_3.3.2-3_all.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 294204@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 28 Feb 2005 14:05:30 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-3
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description: 
 kdelibs    - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4   - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 292085 294204 294271 297095
Changes: 
 kdelibs (4:3.3.2-3) unstable; urgency=high
 .
   * Urgency high as it closes a security RC bug
 .
   +++ Changes by Isaac Clerencia:
 .
   * Fix syntax error in dcopidlng, closes: #297095 (was causing kdepim an
     others to FTBFS).
 .
   * Apply patch from KDE 3.4 to fix CAN-2005-0237 (spoofing using IDN),
     closes: #294271, #294204. IDN is now disabled in all KDE apps unless
     the environment variable KDE_USE_IDN is set.
 .
   * Christopher Cheney has kindly relicensed man pages written by him from
     GDFL to GPL, update the license statement accordingly. Closes: #292085.
Files: 
 f7eb7e75e030f3df1053e9a1250c739c 1302 libs optional kdelibs_3.3.2-3.dsc
 ee097e54514e5524d18bf8a4600e1a69 443362 libs optional kdelibs_3.3.2-3.diff.gz
 f03e9ee4f79db9662b1a3e123cfee4d6 855214 libs optional kdelibs-bin_3.3.2-3_i386.deb
 1b5e317c639495e5d802ddd5d94d8142 8187008 libs optional kdelibs4_3.3.2-3_i386.deb
 bbf8f638a6be032355aa2e0eb1315e4a 1231442 libdevel optional kdelibs4-dev_3.3.2-3_i386.deb
 bd726963e48162feadd5d2e4da22a6bf 18878 kde optional kdelibs_3.3.2-3_all.deb
 099ad360bda1852b227e63f7e4c31d11 7084088 libs optional kdelibs-data_3.3.2-3_all.deb
 c0119c932f491560d9d30debfc5d5ed8 11570728 doc optional kdelibs4-doc_3.3.2-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Signed by Isaac Clerencia <isaac@warp.es>

iD8DBQFCIyPAQET2GFTmct4RAskjAKCILG7ab/ww/lpB3ZjqWTx/nzPRLQCdEGdd
GcsTZW2fm6wN4lugq0UGBww=
=VAQa
-----END PGP SIGNATURE-----
Reply to: