Bug#287201: marked as done (KIOSlave FTP client can be made to send email)
Your message dated Sun, 16 Jan 2005 17:02:24 -0500
with message-id <E1CqITY-0000A4-00@newraff.debian.org>
and subject line Bug#285128: fixed in kdelibs 4:3.3.2-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Dec 2004 19:00:38 +0000
>From ian@penguinhosting.net Sat Dec 25 11:00:38 2004
Return-path: <ian@penguinhosting.net>
Received: from zeus.penguinhosting.net [69.9.164.98]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1CiH9a-0007N6-00; Sat, 25 Dec 2004 11:00:38 -0800
Received: (qmail 30839 invoked by uid 1000); 25 Dec 2004 19:00:37 -0000
Date: Sat, 25 Dec 2004 14:00:01 -0500
From: Ian Gulliver <ian@penguinhosting.net>
To: submit@bugs.debian.org
Subject: KIOSlave FTP client can be made to send email
Message-ID: <20041225190001.GB2821@penguinhosting.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="ieNMXl1Fr3cevapt"
Content-Disposition: inline
X-Operating-System: Linux puck 2.6.9-2-686
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--ieNMXl1Fr3cevapt
Content-Type: multipart/mixed; boundary="CblX+4bnyfN0pR09"
Content-Disposition: inline
--CblX+4bnyfN0pR09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: kdelibs
Version: 3.2.3-2
Severity: grave
The KIOSlave FTP client is vulnerable to the same exploit as Internet
Explorer:
http://lists.netsys.com/pipermail/full-disclosure/2004-December/030229.html
Anything that can pass an FTP URL to it, i.e. a malicious website viewed
in Konqueror, can cause it to send mail without user interaction. A
proposed, untested patch is attached.
--=20
Ian Gulliver
Penguin Hosting
"Failure is not an option; it comes bundled with your Microsoft products."
--CblX+4bnyfN0pR09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="kdelibs-3.2.3-ftp-fixed.patch"
Content-Transfer-Encoding: quoted-printable
--- kdelibs-3.2.3/kioslave/ftp/ftp.cc 2004-02-15 16:15:27.000000000 -0500
+++ kdelibs-3.2.3-ftp-fixed/kioslave/ftp/ftp.cc 2004-12-25 00:44:27.0000000=
00 -0500
@@ -652,6 +652,9 @@
{
assert( sControl > 0 );
=20
+ if (cmd.find('\r') !=3D -1 || cmd.find('\n') !=3D -1)
+ return false;
+
QCString buf =3D cmd;
buf +=3D "\r\n";
=20
--CblX+4bnyfN0pR09--
--ieNMXl1Fr3cevapt
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBzbiwefI+qeoOjxURAnDdAJ98uPfcgnzhhWu6xmPaChvf7W6vKQCaAxJB
F9yG6jHeAtX6IEDfPn6gy5M=
=BikT
-----END PGP SIGNATURE-----
--ieNMXl1Fr3cevapt--
---------------------------------------
Received: (at 285128-close) by bugs.debian.org; 16 Jan 2005 22:07:32 +0000
>From katie@ftp-master.debian.org Sun Jan 16 14:07:31 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CqIYV-0007pb-00; Sun, 16 Jan 2005 14:07:31 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CqITY-0000A4-00; Sun, 16 Jan 2005 17:02:24 -0500
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: 285128-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#285128: fixed in kdelibs 4:3.3.2-1
Message-Id: <E1CqITY-0000A4-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 16 Jan 2005 17:02:24 -0500
Delivered-To: 285128-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: kdelibs
Source-Version: 4:3.3.2-1
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-bin_3.3.2-1_i386.deb
to pool/main/k/kdelibs/kdelibs-bin_3.3.2-1_i386.deb
kdelibs-data_3.3.2-1_all.deb
to pool/main/k/kdelibs/kdelibs-data_3.3.2-1_all.deb
kdelibs4-dev_3.3.2-1_i386.deb
to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-1_i386.deb
kdelibs4-doc_3.3.2-1_all.deb
to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-1_all.deb
kdelibs4_3.3.2-1_i386.deb
to pool/main/k/kdelibs/kdelibs4_3.3.2-1_i386.deb
kdelibs_3.3.2-1.diff.gz
to pool/main/k/kdelibs/kdelibs_3.3.2-1.diff.gz
kdelibs_3.3.2-1.dsc
to pool/main/k/kdelibs/kdelibs_3.3.2-1.dsc
kdelibs_3.3.2-1_all.deb
to pool/main/k/kdelibs/kdelibs_3.3.2-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 285128@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 16 Jan 2005 20:48:01 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description:
kdelibs - KDE core libraries metapackage
kdelibs-bin - KDE core binaries
kdelibs-data - KDE core shared data
kdelibs4 - KDE core libraries
kdelibs4-dev - KDE core libraries (development files)
kdelibs4-doc - KDE core library documentation
Closes: 263430 285128 286521 287097 287201 287566 288653 289164 290190 290191
Changes:
kdelibs (4:3.3.2-1) unstable; urgency=medium
.
+++ Changes by Adeodato Simó:
.
* Uploading to unstable. This new upstream version fixes CAN-2004-1145,
"Konqueror Java Vulnerability", and thus closes: #286521. Urgency set
to medium for this reason (the package has been in experimental for some
time, and has been checked to work properly with the rest of 3.3.1
packages).
.
* debian/control:
- make kdelibs-data replace kjscmd (<< 4:3.3.0), which was missed in the
3.3.1-1 upload and completely forgotten since then. (Closes: #288653)
.
* debian/kdelibs-data.install: the files added in the previous upload were
checked not to exist in oo.o-mimelnk in sid, but sadly they exist in the
version in sarge. Reverted them for now, will be re-added when OpenOffice
1.1.3 enters sarge (with the proper Conflicts: entry). (Closes: #287097)
.
List of files:
- usr/share/mimelnk/application/vnd.sun.xml.calc.template.desktop
- usr/share/mimelnk/application/vnd.sun.xml.draw.template.desktop
- usr/share/mimelnk/application/vnd.sun.xml.impress.template.desktop
- usr/share/mimelnk/application/vnd.sun.xml.writer.template.desktop
.
+++ Changes by Christopher Martin:
.
* KDE_3_3_BRANCH update. Pulls in the fix for CAN-2004-1165, the FTP command
injection bug. (Closes: #285128, #287201)
.
* Add patch to change the group set by KDE CUPS configurator to Debian's
default, lpadmin, rather than sys. (Closes: #263430)
.
* Add kaccel hack that works around a Konqueror crash with Russian keyboards.
(Closes: #287566)
.
* Change debian/copyright file to refer to licenses, instead of copyright,
when discussing KDE's licenses. (Closes: #290191, #290190)
.
* Change dependency on perl-suid to perl, and add Recommends: perl-suid.
The lack of perl-suid should only cause problems for some users using
NFS or SMB shares. (Closes: #289164)
Files:
5a5b291bbb6afb99219a8eb20d367587 1302 libs optional kdelibs_3.3.2-1.dsc
77e5cafe54180b108026cf769f0881d4 249693 libs optional kdelibs_3.3.2-1.diff.gz
3e52b23a11b1f2525227b7b92557c528 853130 libs optional kdelibs-bin_3.3.2-1_i386.deb
57a32d66d0b83303f5c2df8ad4282045 8185634 libs optional kdelibs4_3.3.2-1_i386.deb
e16a623a61e3e782d6156c862b6f9ca5 1230822 libdevel optional kdelibs4-dev_3.3.2-1_i386.deb
7254ee7da031de021e093ee53e909f97 18232 kde optional kdelibs_3.3.2-1_all.deb
05de696544e6470efe771d1a9e09f342 7082858 libs optional kdelibs-data_3.3.2-1_all.deb
87121b89ce0b5c7e1aa7bc386498f735 11530760 doc optional kdelibs4-doc_3.3.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Signed by Isaac Clerencia <isaac@warp.es>
iD8DBQFB6uEzQET2GFTmct4RAsBzAJ9vxU5BEvEIF/9roHrIGcq7C107LgCfZv02
73cZKZqziTtyQgYhlWRhZT0=
=Pz0s
-----END PGP SIGNATURE-----
Reply to: