Ubuntu
kdelibs package

CAN-2005-0365: insecure temporary file creation in kdelibs 3.3.2

Bug #12841 reported by Debian Bug Importer
6
Affects Status Importance Assigned to Milestone
kdelibs (Debian)
Fix Released
Unknown
kdelibs (Ubuntu)
Invalid
High
Unassigned

Bug Description

Automatically imported from Debian bug report #294896 http://bugs.debian.org/294896

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 12 Feb 2005 08:20:17 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CAN-2005-0365: insecure temporary file creation in kdelibs 3.3.2

Package: kdelibs
Version: 3.2.3-3.sarge.2 3.3.2-1
Severity: grave
Tags: security sarge sid patch

Please
 . update the package in sid
 . mention the CVE id from the subject in the changelog
 . use priority=high
 . you probably need to upload into testing-proposed-updates as well

Regards,

 Joey

----- Forwarded message from Davide Madrisan <email address hidden> -----

From: Davide Madrisan <email address hidden>
Organization: QiNet s.r.l.
To: <email address hidden>
Subject: insecure temporary file creation in kdelibs 3.3.2
Date: Fri, 11 Feb 2005 09:16:38 +0100

The `dcopidlng' script in the KDE library package
(kdelibs-3.3.2/dcop/dcopidlng/dcopidlng)
creates temporary files in a unsecure manner.

This bug has been fixed in 32 minutes (!) by Stephan Kulow, the KDE team
leader. Here you can found the official patch:
http://bugs.kde.org/show_bug.cgi?id=97608

Note: This bug has been find by `autospec', the work-in-progress tool used by
the QiLinux team to (semi)automatically create specfiles from tarballs and
update/check rpm packages. It's released under GPL and not QiLinux specific.
The latest release can be found at the URL:
ftp://ftp.qilinux.it/pub/QiLinux/devel/tools/autospec/

#include <best/regards.h>
---
Davide Madrisan
QiLinux Security Team Leader
PGP keyID: 4B72B0B9 fp: 2B79 BFF1 EE33 EE8C 3258 E43C CDA8 EFF3 4B72 B0B9
PGP public key: <http://pgp.mit.edu/>
http://www.qilinux.it

----- End forwarded message -----

--
If you come from outside of Finland, you live in wrong country.
 -- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Marking as duplicate based on debbugs merge (294832,294896)

This bug has been marked as a duplicate of bug 12825.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 12 Feb 2005 10:57:38 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: blah

merge 294832 294896
thanks dude

--
If you come from outside of Finland, you live in wrong country.
 -- motd of irc.funet.fi

Please always Cc to me when replying to me on the lists.

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.2 KiB)

Message-Id: <email address hidden>
Date: Sun, 13 Feb 2005 09:17:29 -0500
From: Debian Qt/KDE Maintainers <email address hidden>
To: <email address hidden>
Subject: Bug#294832: fixed in kdelibs 4:3.3.2-2

Source: kdelibs
Source-Version: 4:3.3.2-2

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.3.2-2_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-2_i386.deb
kdelibs-data_3.3.2-2_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-2_all.deb
kdelibs4-dev_3.3.2-2_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-2_i386.deb
kdelibs4-doc_3.3.2-2_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-2_all.deb
kdelibs4_3.3.2-2_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-2_i386.deb
kdelibs_3.3.2-2.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-2.diff.gz
kdelibs_3.3.2-2.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-2.dsc
kdelibs_3.3.2-2_all.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-2_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <email address hidden> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Feb 2005 04:58:29 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-2
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <email address hidden>
Changed-By: Debian Qt/KDE Maintainers <email address hidden>
Description:
 kdelibs - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4 - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 270592 290323 292081 292569 292765 294832 294896
Changes:
 kdelibs (4:3.3.2-2) unstable; urgency=high
 .
   +++ Changes by Adeodato Simó:
 .
   * Include patch to fix CAN-2005-0365, "insecure temporary file creation in
     kdelibs 3.3.2". dcopidlng no longer creates its temporary files in /tmp.
     (Closes: #294832, #294896) Urgency set to high because of this and other
     RC bug fixes below.
 .
   * KDE_3_3_BRANCH update.
 .
   * Include patch from CVS to fix XMLHttpRequest POST being broken in KHTML
     due to a blank line in headers. (Closes: #292765)
 .
   +++ Changes by Christopher Martin:
 .
   * Add patch from upstream that solves the problem wherein programs whose
     .desktop entry contained their full path, rather than just the binary
     to be executed (mainly games), confused kdeinit.
     (Closes: #270592, #290323)
 .
   * debian/...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.2 KiB)

Message-Id: <email address hidden>
Date: Sun, 13 Feb 2005 09:17:29 -0500
From: Debian Qt/KDE Maintainers <email address hidden>
To: <email address hidden>
Subject: Bug#294896: fixed in kdelibs 4:3.3.2-2

Source: kdelibs
Source-Version: 4:3.3.2-2

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.3.2-2_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-2_i386.deb
kdelibs-data_3.3.2-2_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-2_all.deb
kdelibs4-dev_3.3.2-2_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-2_i386.deb
kdelibs4-doc_3.3.2-2_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-2_all.deb
kdelibs4_3.3.2-2_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-2_i386.deb
kdelibs_3.3.2-2.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-2.diff.gz
kdelibs_3.3.2-2.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-2.dsc
kdelibs_3.3.2-2_all.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-2_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <email address hidden> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Feb 2005 04:58:29 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-2
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <email address hidden>
Changed-By: Debian Qt/KDE Maintainers <email address hidden>
Description:
 kdelibs - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4 - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 270592 290323 292081 292569 292765 294832 294896
Changes:
 kdelibs (4:3.3.2-2) unstable; urgency=high
 .
   +++ Changes by Adeodato Simó:
 .
   * Include patch to fix CAN-2005-0365, "insecure temporary file creation in
     kdelibs 3.3.2". dcopidlng no longer creates its temporary files in /tmp.
     (Closes: #294832, #294896) Urgency set to high because of this and other
     RC bug fixes below.
 .
   * KDE_3_3_BRANCH update.
 .
   * Include patch from CVS to fix XMLHttpRequest POST being broken in KHTML
     due to a blank line in headers. (Closes: #292765)
 .
   +++ Changes by Christopher Martin:
 .
   * Add patch from upstream that solves the problem wherein programs whose
     .desktop entry contained their full path, rather than just the binary
     to be executed (mainly games), confused kdeinit.
     (Closes: #270592, #290323)
 .
   * debian/...

Read more...

Bug Watch Updater (bug-watch-updater)
Changed in kdelibs:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.