[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#417394: marked as done (Possible UTF-8 overlong sequence decoding vulnerability)

Your message dated Wed, 18 Apr 2007 14:47:11 +0000
with message-id <E1HeBR9-0000uK-10@ries.debian.org>
and subject line Bug#417394: fixed in kdelibs 4:3.5.6.r1.dfsg.1-3
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: kdelibs
Version: 4:3.5.5a.dfsg.1-7
Severity: grave
Tags: security 
Justification: user security hole
> this is a notice about a significant bug in the Qt (3.x and 4.x) UTF 8
> decoder, that in certain cases can lead to security vulnerabilies. It causes
> XSS errors at least in Konqueror, though any KDE application that deals with
> urls or paths from untrusted locations can be affected.
> The issue is that the UTF8 decoder incorrectly does not reject overlong
> sequences, which can cause "/../" injection or (in the case of konqueror)
> a "<script>" tag injection.
> The patch was embargoed, but it leaked recently into the qt snapshots and
> was
> also imported into qt-copy, so you can consider it public now. Originally
> Trolltech planned to disclose this with an Qt 3.3.9 release, but it seems
> they changed their mind.

(this has been reported in bugs: 417390 and 417391).

> I'm also attaching a fix against KJS, which has a similar issue, but we
> don't know of a way to exploit this one. Please add both patches.

This issued has been addressed in the upload 4:3.5.5a.dfsg.1-8


--- End Message ---
--- Begin Message ---
Source: kdelibs
Source-Version: 4:3.5.6.r1.dfsg.1-3

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

  to pool/main/k/kdelibs/kdelibs-data_3.5.6.r1.dfsg.1-3_all.deb
  to pool/main/k/kdelibs/kdelibs-dbg_3.5.6.r1.dfsg.1-3_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.5.6.r1.dfsg.1-3_i386.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.5.6.r1.dfsg.1-3_all.deb
  to pool/main/k/kdelibs/kdelibs4c2a_3.5.6.r1.dfsg.1-3_i386.deb
  to pool/main/k/kdelibs/kdelibs_3.5.6.r1.dfsg.1-3.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.5.6.r1.dfsg.1-3.dsc
  to pool/main/k/kdelibs/kdelibs_3.5.6.r1.dfsg.1-3_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 417394@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Wed, 18 Apr 2007 14:45:54 +0100
Source: kdelibs
Binary: kdelibs4c2a kdelibs kdelibs4-doc kdelibs-dbg kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.5.6.r1.dfsg.1-3
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
 kdelibs    - core libraries from the official KDE release
 kdelibs-data - core shared data for all KDE applications
 kdelibs-dbg - debugging symbols for kdelibs
 kdelibs4-dev - development files for the KDE core libraries
 kdelibs4-doc - developer documentation for the KDE core libraries
 kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 407272 416318 417394
 kdelibs (4:3.5.6.r1.dfsg.1-3) unstable; urgency=low
   +++ Changes by Sune Vuorela:
   * Take the patches from branches/etch to fix two security issues
     46_CVE-2007-1564-kdelibs-3.5.6.diff and 47_kdelibs-kjs-utf8-parsing.diff
     Fixes CVE-2007-1564 and CVE-2007-0242. (Closes: #417394, #416318)
   +++ Changes by Ana Beatriz Guerrero Lopez:
   * Add 44_sync_kwallet_changes to make kwallet write changes to disk
     immediately, avoiding losing passwords if kwallet doesn't shutdown
     cleanly. Patch by Josh Metzler. (Closes: #407272)
 528b00cf9f048abd76a9c7375a1d19c7 1670 libs optional kdelibs_3.5.6.r1.dfsg.1-3.dsc
 7f4bae32561677ffeab5bfbc03be6113 460781 libs optional kdelibs_3.5.6.r1.dfsg.1-3.diff.gz
 8499b0bf74b83fb78eff75f496bc1dc4 34338 libs optional kdelibs_3.5.6.r1.dfsg.1-3_all.deb
 1a08ed2d3ea7aa7fe964e98176a5c115 8614672 libs optional kdelibs-data_3.5.6.r1.dfsg.1-3_all.deb
 c6bedb5fe4cdd9645dfd94008f46c482 35080018 doc optional kdelibs4-doc_3.5.6.r1.dfsg.1-3_all.deb
 00b0658f9bcf27795458392cf71fee48 9799872 libs optional kdelibs4c2a_3.5.6.r1.dfsg.1-3_i386.deb
 a2ff4b2952831119f4a3daef31397493 1377828 libdevel optional kdelibs4-dev_3.5.6.r1.dfsg.1-3_i386.deb
 8ba69b6c5b2f73fad2f07288cba93e35 26403282 libdevel extra kdelibs-dbg_3.5.6.r1.dfsg.1-3_i386.deb

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero


--- End Message ---

Reply to: