Ubuntu
kde4libs package

[CVE-2014-3494] KMail/KIO POP3 SSL MITM Flaw

  1. Utopic (14.10)
  2. Bug #1332064
Bug #1332064 reported by Rohan Garg
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kde4libs (Ubuntu)
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned

Bug Description

Overview
========

The POP3 kioslave used by kmail will accept invalid certificates without
presenting a dialog to the user due a bug that leads to an inability to
display the dialog combined with an error in the way the result is checked.

Impact
======

This flaw allows an active attacker to perform MITM attacks against the
ioslave which could result in the leakage of sensitive data such as the
authentication details and the contents of emails.

Workaround
==========

None

Solution
========

Upgrade to version 4.13.3 or apply the patch at
http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d&hp=1ccdb43ed3b32a7798eec6d39bb3c83a6e40228f

CVE References

Revision history for this message
Rohan Garg (rohangarg) wrote :

Debdiff for trusty

Revision history for this message
Rohan Garg (rohangarg) wrote :

Debdiff for saucy

no longer affects: kde4libs (Ubuntu Precise)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.13.2-0ubuntu2

---------------
kde4libs (4:4.13.2-0ubuntu2) utopic; urgency=medium

  * SECURITY UPDATE: Fix KMail/KIO SSL flaw
    - CVE-2014-3494 (LP: #1332064)
 -- Rohan Garg <email address hidden> Thu, 19 Jun 2014 15:18:47 +0200

Changed in kde4libs (Ubuntu Utopic):
status: New → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Rohan; I slightly modified the debian/changelog to better match the style used elsewhere:

kde4libs (4:4.13.1-0ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Fix KMail/KIO SSL flaw (LP: #1332064)
    - debian/patches/CVE-2014-3494.patch: Don't require a job to handle
      messageboxes.
    - CVE-2014-3494

 -- Rohan Garg <email address hidden> Thu, 19 Jun 2014 15:23:08 +0200

I'll release the updates Monday.

Thanks

Revision history for this message
Rohan Garg (rohangarg) wrote :

Thanks Seth!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.13.1-0ubuntu0.2

---------------
kde4libs (4:4.13.1-0ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Fix KMail/KIO SSL flaw
    - CVE-2014-3494 (LP: #1332064)
 -- Rohan Garg <email address hidden> Thu, 19 Jun 2014 15:23:08 +0200

Changed in kde4libs (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.11.5-0ubuntu0.3

---------------
kde4libs (4:4.11.5-0ubuntu0.3) saucy-security; urgency=medium

  * SECURITY UPDATE: Fix KMail/KIO SSL flaw (LP: #1332064)
    - debian/patches/CVE-2014-3494.patch: Don't require a job to handle
      messageboxes.
    - CVE-2014-3494
 -- Rohan Garg <email address hidden> Thu, 19 Jun 2014 15:10:34 +0200

Changed in kde4libs (Ubuntu Saucy):
status: New → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of the Stable Release Update for kde4libs has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.