[CVE-2014-3494] KMail/KIO POP3 SSL MITM Flaw

Bug #1332064 reported by Rohan Garg on 2014-06-19
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kde4libs (Ubuntu)
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned

Bug Description

Overview
========

The POP3 kioslave used by kmail will accept invalid certificates without
presenting a dialog to the user due a bug that leads to an inability to
display the dialog combined with an error in the way the result is checked.

Impact
======

This flaw allows an active attacker to perform MITM attacks against the
ioslave which could result in the leakage of sensitive data such as the
authentication details and the contents of emails.

Workaround
==========

None

Solution
========

Upgrade to version 4.13.3 or apply the patch at
http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d&hp=1ccdb43ed3b32a7798eec6d39bb3c83a6e40228f

CVE References

Rohan Garg (rohangarg) wrote :

Debdiff for trusty

Rohan Garg (rohangarg) wrote :

Debdiff for saucy

no longer affects: kde4libs (Ubuntu Precise)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.13.2-0ubuntu2

---------------
kde4libs (4:4.13.2-0ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: Fix KMail/KIO SSL flaw
    - CVE-2014-3494 (LP: #1332064)
 -- Rohan Garg <email address hidden> Thu, 19 Jun 2014 15:18:47 +0200

Changed in kde4libs (Ubuntu Utopic):
status: New → Fix Released
Seth Arnold (seth-arnold) wrote :

Thanks Rohan; I slightly modified the debian/changelog to better match the style used elsewhere:

kde4libs (4:4.13.1-0ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Fix KMail/KIO SSL flaw (LP: #1332064)
    - debian/patches/CVE-2014-3494.patch: Don't require a job to handle
      messageboxes.
    - CVE-2014-3494

 -- Rohan Garg <email address hidden> Thu, 19 Jun 2014 15:23:08 +0200

I'll release the updates Monday.

Thanks

Rohan Garg (rohangarg) wrote :

Thanks Seth!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.13.1-0ubuntu0.2

---------------
kde4libs (4:4.13.1-0ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Fix KMail/KIO SSL flaw
    - CVE-2014-3494 (LP: #1332064)
 -- Rohan Garg <email address hidden> Thu, 19 Jun 2014 15:23:08 +0200

Changed in kde4libs (Ubuntu Trusty):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.11.5-0ubuntu0.3

---------------
kde4libs (4:4.11.5-0ubuntu0.3) saucy-security; urgency=medium

  * SECURITY UPDATE: Fix KMail/KIO SSL flaw (LP: #1332064)
    - debian/patches/CVE-2014-3494.patch: Don't require a job to handle
      messageboxes.
    - CVE-2014-3494
 -- Rohan Garg <email address hidden> Thu, 19 Jun 2014 15:10:34 +0200

Changed in kde4libs (Ubuntu Saucy):
status: New → Fix Released

The verification of the Stable Release Update for kde4libs has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers