kdelibs: CAN-2004-1145: Konqueror Java Vulnerability

Automatically imported from Debian bug report #286521 http://bugs.debian.org/286521

Message-ID: <email address hidden>
Date: Mon, 20 Dec 2004 18:23:54 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: kdelibs: CAN-2004-1145: Konqueror Java Vulnerability

Package: kdelibs
Version: 4:3.3.1-4
Severity: grave
Tags: security, fixed-in-experimental

  CAN-2004-1145 is about a vulnerability in the Konqueror Java code that
  allows applets to bypass the sandbox environment in which they are run.

  KDE 3.2.3 and 3.3.1 are vulnerable, 3.3.2 is not. The KDE Security
  Advisory [1] provides a patch for KDE 3.2.3, but for KDE 3.3.1 the
  recommended solution is 'upgrade to 3.3.2'.

    [1] http://www.kde.org/info/security/advisory-20041220-1.txt

  We (the members of the KDE Packaging Team) will have over the next
  days a look at the possibilities of backporting the fix. Depending on
  our findings, we'll either upload a fixed kdelibs 3.3.1 or kdelibs
  3.3.2 will have to make its way into sarge (but most likely after the
  3.3.1 transition is complete).

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

A conclusion is simply the place where someone got tired of thinking.

Message-Id: <email address hidden>
Date: Tue, 21 Dec 2004 21:40:19 -0500
From: Christopher Martin <email address hidden>
To: <email address hidden>
Subject: tags 286521 sid sarge

tags 286521 sid sarge
stop

Explaining which versions of KDE are affected.

tag: warty

hoary isnt affected

Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 12:12:10 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Final polishing of the KDE 3.3 transition

#> we'll go with lowering to 'important', with an attached explanation.

#285128: kdelibs: CAN-2004-1165: FTP command injection bug
severity 285128 important

#286516: kdebase: CAN-2004-1158: Konqueror Window Injection Vuln.
severity 286516 important

#286521: kdelibs: CAN-2004-1145: Konqueror Java Vulnerability
severity 286521 important

thanks mate, see you again after the transition

  In agreement with the Release Team, I'm downgrading the severity of
  the above three security bugs in KDE to important, so that KDE 3.3 can
  enter sarge. See this thread [1] for more info.

    [1] http://lists.debian.org/debian-release/2005/01/msg00004.html

  The severity will be restored right after the transition, and uploads
  to sid will shortly follow. Just to say what is going to happen:
  kdebase 3.3.1-4 will be uploaded first (along with a arts 1.3.2-2, not
  security related). While buildds churn these two, a kdelibs 3.3.2-1
  upload to sid will be prepared, and uploaded as soon as kdebase+arts
  is built in all arches.

  We need to upload kdelibs 3.3.2 since the fix for CAN-2004-1145 (the
  Java Vulnerability) is not easily backportable to 3.3.1. Having
  kdelibs 3.3.2 with the rest of packages being at 3.3.1 is a safe mix;
  in any case, we will test prior to uploading and the urgency won't be
  set to high.

  Cheers,

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
    Listening to: 10,000 Maniacs - don't talk

Don't worry about what anybody else is going to do. The best way to
predict the future is to invent it.
                -- Alan Kay

Message-ID: <email address hidden>
Date: Tue, 4 Jan 2005 09:48:48 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Final polishing of the KDE 3.3 transition

# severity 285128 important
# severity 286516 important
# severity 286521 important
# thanks mate, see you again after the transition

# <vorlon> dato: would you care to bump those security bugs back up to RC severity?

severity 285128 grave
severity 286516 grave
severity 286521 grave

thanks. vorlon: done

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

Don't be irreplaceable, if you can't be replaced, you can't be promoted.

Message-Id: <email address hidden>
Date: Sun, 9 Jan 2005 01:22:56 +0100
From: Adeodato Simó <email address hidden>
To: <email address hidden>
Subject: setting package to kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev
 kdelibs4-doc ... ... ... ... ... ... ... ...

# Automatically generated email from bts, devscripts version 2.8.6
package kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev kdelibs4-doc
tags 263430 + pending
tags 285128 + pending
tags 286521 + pending
tags 287097 + pending
tags 287201 + pending
tags 287566 + pending
tags 288653 + pending
tags 289164 + pending

Message-ID: <email address hidden>
Date: Tue, 11 Jan 2005 17:54:11 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: meaning of 'pending'

  Since I've been asked by a RM how 'pending' these security fixes were
  (#285128: CAN-2004-1165: FTP command injection bug, #286521: kdelibs:
  CAN-2004-1145: Konqueror Java Vulnerability), here is an upadte: the
  packages are mostly ready, and shall be uploaded as soon as kdebase
  3.3.1-4 is successfully built in all arches:

    http://people.debian.org/~igloo/status.php?package=kdebase&thin=on

  Currently, only a mipsel build is missing.

--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621

You cannot achieve the impossible without attempting the absurd.

What is the status of this bug in Hoary?

(In reply to comment #8)
> What is the status of this bug in Hoary?

hoary isnt affected

Message-Id: <email address hidden>
Date: Sun, 16 Jan 2005 17:02:24 -0500
From: Debian Qt/KDE Maintainers <email address hidden>
To: <email address hidden>
Subject: Bug#286521: fixed in kdelibs 4:3.3.2-1

Source: kdelibs
Source-Version: 4:3.3.2-1

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-1_i386.deb
kdelibs-data_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-1_all.deb
kdelibs4-dev_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-1_i386.deb
kdelibs4-doc_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-1_all.deb
kdelibs4_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-1_i386.deb
kdelibs_3.3.2-1.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.diff.gz
kdelibs_3.3.2-1.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.dsc
kdelibs_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-1_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <email address hidden> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 16 Jan 2005 20:48:01 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <email address hidden>
Changed-By: Debian Qt/KDE Maintainers <email address hidden>
Description:
 kdelibs - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4 - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 263430 285128 286521 287097 287201 287566 288653 289164 290190 290191
Changes:
 kdelibs (4:3.3.2-1) unstable; urgency=medium
 .
   +++ Changes by Adeodato Simó:
 .
   * Uploading to unstable. This new upstream version fixes CAN-2004-1145,
     "Konqueror Java Vulnerability", and thus closes: #286521. Urgency set
     to medium for this reason (the package has been in experimental for some
     time, and has been checked to work properly with the rest of 3.3.1
     packages).
 .
   * debian/control:
     - make kdelibs-data replace kjscmd (<< 4:3.3.0), which was missed in the
       3.3.1-1 upload and completely forgotten since then. (Closes: #288653)
 .
   * debian/kdelibs-data.install: the files added in the previous upload were
     checked not to exist in oo.o-mimelnk in sid, but sadly they exist in the
     version in sarge. Reverted them for n...

(In reply to comment #9)
> (In reply to comment #8)
> > What is the status of this bug in Hoary?
>
> hoary isnt affected

I assume it affects Warty, then, or the bug would be closed. Who is working on
an update?

(In reply to comment #11)
> (In reply to comment #9)
> > (In reply to comment #8)
> > > What is the status of this bug in Hoary?
> >
> > hoary isnt affected
>
> I assume it affects Warty, then, or the bug would be closed. Who is working on
> an update?

Warty is already fixed:

http://people.ubuntu.com/~mvo/changelogs/pool/universe/k/kdelibs/kdelibs_3.2.3-2ubuntu1.3/changelog

So I close this bug now.