FWD: insecure temporary file creation in kdelibs 3.3.2

Automatically imported from Debian bug report #294832 http://bugs.debian.org/294832

Message-ID: <email address hidden>
Date: Fri, 11 Feb 2005 15:36:10 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: FWD: insecure temporary file creation in kdelibs 3.3.2

--aVD9QWMuhilNxW9f
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: kdelibs-data
Version: 4:3.3.2-1
Tags: security
Severity: grave

We're vulnerable.

----- Forwarded message from Davide Madrisan <email address hidden> -=
----

=46rom: Davide Madrisan <email address hidden>
Date: Fri, 11 Feb 2005 09:16:38 +0100
To: <email address hidden>
Subject: insecure temporary file creation in kdelibs 3.3.2
Organization: QiNet s.r.l.
User-Agent: KMail/1.7.2

The `dcopidlng' script in the KDE library package=20
(kdelibs-3.3.2/dcop/dcopidlng/dcopidlng)
creates temporary files in a unsecure manner.

This bug has been fixed in 32 minutes (!) by Stephan Kulow, the KDE team=20
leader. Here you can found the official patch:
http://bugs.kde.org/show_bug.cgi?id=3D97608

Note: This bug has been find by `autospec', the work-in-progress tool used =
by=20
the QiLinux team to (semi)automatically create specfiles from tarballs and=
=20
update/check rpm packages. It's released under GPL and not QiLinux specific.
The latest release can be found at the URL:
ftp://ftp.qilinux.it/pub/QiLinux/devel/tools/autospec/

#include <best/regards.h>
---
Davide Madrisan
QiLinux Security Team Leader
PGP keyID: 4B72B0B9 fp: 2B79 BFF1 EE33 EE8C 3258 E43C CDA8 EFF3 4B72 B0B9
PGP public key: <http://pgp.mit.edu/>
http://www.qilinux.it

----- End forwarded message -----

--=20
see shy jo

--aVD9QWMuhilNxW9f
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCDRc5d8HHehbQuO8RAjvQAJwMRgsyz9feGBGEFgayLLhWreUUnACfRFSO
8rTvkkXEFtEc3Jka+cc08E0=
=jwdZ
-----END PGP SIGNATURE-----

--aVD9QWMuhilNxW9f--

Message-ID: <email address hidden>
Date: Sat, 12 Feb 2005 00:16:50 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: ahhh the attack of the Joeys

reassign 294832 kdelibs
merge 294832 29489
thanks

Message-ID: <email address hidden>
Date: Sat, 12 Feb 2005 10:57:38 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: blah

merge 294832 294896
thanks dude

--
If you come from outside of Finland, you live in wrong country.
 -- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.

*** Bug 12841 has been marked as a duplicate of this bug. ***

Message-Id: <email address hidden>
Date: Sun, 13 Feb 2005 09:17:29 -0500
From: Debian Qt/KDE Maintainers <email address hidden>
To: <email address hidden>
Subject: Bug#294832: fixed in kdelibs 4:3.3.2-2

Source: kdelibs
Source-Version: 4:3.3.2-2

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.3.2-2_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-2_i386.deb
kdelibs-data_3.3.2-2_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-2_all.deb
kdelibs4-dev_3.3.2-2_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-2_i386.deb
kdelibs4-doc_3.3.2-2_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-2_all.deb
kdelibs4_3.3.2-2_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-2_i386.deb
kdelibs_3.3.2-2.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-2.diff.gz
kdelibs_3.3.2-2.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-2.dsc
kdelibs_3.3.2-2_all.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-2_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <email address hidden> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Feb 2005 04:58:29 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-2
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <email address hidden>
Changed-By: Debian Qt/KDE Maintainers <email address hidden>
Description:
 kdelibs - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4 - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 270592 290323 292081 292569 292765 294832 294896
Changes:
 kdelibs (4:3.3.2-2) unstable; urgency=high
 .
   +++ Changes by Adeodato Simó:
 .
   * Include patch to fix CAN-2005-0365, "insecure temporary file creation in
     kdelibs 3.3.2". dcopidlng no longer creates its temporary files in /tmp.
     (Closes: #294832, #294896) Urgency set to high because of this and other
     RC bug fixes below.
 .
   * KDE_3_3_BRANCH update.
 .
   * Include patch from CVS to fix XMLHttpRequest POST being broken in KHTML
     due to a blank line in headers. (Closes: #292765)
 .
   +++ Changes by Christopher Martin:
 .
   * Add patch from upstream that solves the problem wherein programs whose
     .desktop entry contained their full path, rather than just the binary
     to be executed (mainly games), confused kdeinit.
     (Closes: #270592, #290323)
 .
   * debian/...

Already fixed in Hoary, but should be fixed in Warty as well.

fixed & uploaded, requested from lamont the buildlogs for a final rewiew.

fixed in 4:3.3.2-1ubuntu9 hoary, I'll review warty

already fixed