CAN-2004-1165: FTP command injection bug

Automatically imported from Debian bug report #285128 http://bugs.debian.org/285128

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:51:51 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CAN-2004-1165: FTP command injection bug

--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: konqueror
Version: 3.3.1
Tags: security
Severity: serious

CAN-2004-1165 is about a security hole in konqueror that allows
arbitrary ftp commands to be inserted in a URL via URL-encoded newlines.
Details about this hole are here:
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D110245752232681&w=3D2

The advisory says that it affects version >=3D 3.3.1, so perhaps our
3.2.3-1/2.3.3-1 in t-p-u/testing are not vulnerable. I've not checked.

--=20
see shy jo

--tKW2IUtsqtDRztdT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBuf5Wd8HHehbQuO8RAjieAKDsuxo6Lz9ntdCxS0KtTOJp3hvGqwCeMCd0
E9zg0VsPJ4emLLfuKeiKibo=
=kf+Z
-----END PGP SIGNATURE-----

--tKW2IUtsqtDRztdT--

Message-ID: <email address hidden>
Date: Thu, 30 Dec 2004 15:16:26 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: CAN-2004-1165: FTP command injection bug

tag 285128 sarge sid
stop here

* Joey Hess [Fri, 10 Dec 2004 14:51:51 -0500]:

> The advisory says that it affects version >= 3.3.1, so perhaps our
> 3.2.3-1/2.3.3-1 in t-p-u/testing are not vulnerable. I've not checked.

  just for the record: yes, 3.2 is vulnerable. upstream released patches
  for both the 3.3.x and 3.2.x series.

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Old men are fond of giving good advice to console themselves for their
inability to set a bad example.
                -- La Rochefoucauld, "Maxims"

Message-ID: <email address hidden>
Date: Sat, 1 Jan 2005 11:57:55 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: missing bits for the transition

# -|
# -|--> to be merged (sure?) ====> yes

### These two bugs are the same vulnerability, and that the bug
### really belongs to kdelibs, not konqueror/kdebase.

#285128: CAN-2004-1165: FTP command injection bug
reassign 285128 kdelibs
severity 285128 grave

#287201: KIOSlave FTP client can be made to send email
merge 285128 287201

stop here, and happy new year for you too

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Beauty, brains, availability, personality: pick any two.

*** Bug 11467 has been marked as a duplicate of this bug. ***

already fixed in warty & hoary

Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 12:12:10 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Final polishing of the KDE 3.3 transition

#> we'll go with lowering to 'important', with an attached explanation.

#285128: kdelibs: CAN-2004-1165: FTP command injection bug
severity 285128 important

#286516: kdebase: CAN-2004-1158: Konqueror Window Injection Vuln.
severity 286516 important

#286521: kdelibs: CAN-2004-1145: Konqueror Java Vulnerability
severity 286521 important

thanks mate, see you again after the transition

  In agreement with the Release Team, I'm downgrading the severity of
  the above three security bugs in KDE to important, so that KDE 3.3 can
  enter sarge. See this thread [1] for more info.

    [1] http://lists.debian.org/debian-release/2005/01/msg00004.html

  The severity will be restored right after the transition, and uploads
  to sid will shortly follow. Just to say what is going to happen:
  kdebase 3.3.1-4 will be uploaded first (along with a arts 1.3.2-2, not
  security related). While buildds churn these two, a kdelibs 3.3.2-1
  upload to sid will be prepared, and uploaded as soon as kdebase+arts
  is built in all arches.

  We need to upload kdelibs 3.3.2 since the fix for CAN-2004-1145 (the
  Java Vulnerability) is not easily backportable to 3.3.1. Having
  kdelibs 3.3.2 with the rest of packages being at 3.3.1 is a safe mix;
  in any case, we will test prior to uploading and the urgency won't be
  set to high.

  Cheers,

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: 10,000 Maniacs - don't talk

Don't worry about what anybody else is going to do. The best way to
predict the future is to invent it.
                -- Alan Kay

Message-ID: <email address hidden>
Date: Tue, 4 Jan 2005 09:48:48 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Final polishing of the KDE 3.3 transition

# severity 285128 important
# severity 286516 important
# severity 286521 important
# thanks mate, see you again after the transition

# <vorlon> dato: would you care to bump those security bugs back up to RC severity?

severity 285128 grave
severity 286516 grave
severity 286521 grave

thanks. vorlon: done

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Don't be irreplaceable, if you can't be replaced, you can't be promoted.

Message-Id: <email address hidden>
Date: Sun, 9 Jan 2005 01:22:56 +0100
From: Adeodato Simó <email address hidden>
To: <email address hidden>
Subject: setting package to kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev
 kdelibs4-doc ... ... ... ... ... ... ... ...

# Automatically generated email from bts, devscripts version 2.8.6
package kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev kdelibs4-doc
tags 263430 + pending
tags 285128 + pending
tags 286521 + pending
tags 287097 + pending
tags 287201 + pending
tags 287566 + pending
tags 288653 + pending
tags 289164 + pending

Message-ID: <email address hidden>
Date: Tue, 11 Jan 2005 17:54:11 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: meaning of 'pending'

  Since I've been asked by a RM how 'pending' these security fixes were
  (#285128: CAN-2004-1165: FTP command injection bug, #286521: kdelibs:
  CAN-2004-1145: Konqueror Java Vulnerability), here is an upadte: the
  packages are mostly ready, and shall be uploaded as soon as kdebase
  3.3.1-4 is successfully built in all arches:

    http://people.debian.org/~igloo/status.php?package=kdebase&thin=on

  Currently, only a mipsel build is missing.

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

You cannot achieve the impossible without attempting the absurd.

Message-Id: <email address hidden>
Date: Sun, 16 Jan 2005 17:02:24 -0500
From: Debian Qt/KDE Maintainers <email address hidden>
To: <email address hidden>
Subject: Bug#285128: fixed in kdelibs 4:3.3.2-1

Source: kdelibs
Source-Version: 4:3.3.2-1

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-1_i386.deb
kdelibs-data_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-1_all.deb
kdelibs4-dev_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-1_i386.deb
kdelibs4-doc_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-1_all.deb
kdelibs4_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-1_i386.deb
kdelibs_3.3.2-1.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.diff.gz
kdelibs_3.3.2-1.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.dsc
kdelibs_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-1_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <email address hidden> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 16 Jan 2005 20:48:01 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <email address hidden>
Changed-By: Debian Qt/KDE Maintainers <email address hidden>
Description:
 kdelibs - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4 - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 263430 285128 286521 287097 287201 287566 288653 289164 290190 290191
Changes:
 kdelibs (4:3.3.2-1) unstable; urgency=medium
 .
   +++ Changes by Adeodato Simó:
 .
   * Uploading to unstable. This new upstream version fixes CAN-2004-1145,
     "Konqueror Java Vulnerability", and thus closes: #286521. Urgency set
     to medium for this reason (the package has been in experimental for some
     time, and has been checked to work properly with the rest of 3.3.1
     packages).
 .
   * debian/control:
     - make kdelibs-data replace kjscmd (<< 4:3.3.0), which was missed in the
       3.3.1-1 upload and completely forgotten since then. (Closes: #288653)
 .
   * debian/kdelibs-data.install: the files added in the previous upload were
     checked not to exist in oo.o-mimelnk in sid, but sadly they exist in the
     version in sarge. Reverted them for n...