KDE KGet Contains File Overwrite and Directory Traversal Bugs
SecurityTracker Alert ID: 1023984|
SecurityTracker URL: http://securitytracker.com/id/1023984
CVE-2010-1000, CVE-2010-1511, CVE-2011-1586
(Links to External Site)
Updated: Apr 21 2011|
Original Entry Date: May 13 2010
Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): KDE SC 4.0.0 up to including KDE SC 4.4.3|
Two vulnerabilities were reported in KDE KGet. A remote user can cause files to be downloaded to arbitrary directories on the target system. A remote user can cause certain files to be overwritten on the target system.|
A remote user can supply a specially crafted 'name' attribute of the 'file' element of a metalink file. When the metalink file is downloaded, the file will be stored in a directory on the target system that is located outside of the download directory [CVE-2010-1000].
When KGet displays a dialog box to allow the user to choose certain metalink file options, the file will be downloaded after a period of time without user input. The file will overwrite any existing file of the same name [CVE-2010-1511].
Stefan Cornelius of Secunia Research reported these vulnerabilities.
A remote user can cause files to be downloaded to arbitrary directories on the target system.|
A remote user can cause certain files to be overwritten on the target system.
The vendor has issued source code fixes and patches, described in their advisory.|
The vendor's advisory is available at:
[Editor's note: The original fix for CVE-2010-1000 was incomplete. The incomplete fix has been assigned CVE-2011-1586. The vendor has issued a source code fix in April 2011. The vendor's advisory is available at: https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/757526]
Vendor URL: www.kde.org/info/security/advisory-20100513-1.txt (Links to External Site)
Access control error, Input validation error|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Thu, 13 May 2010 17:07:02 +0000|
Subject: KDE KGet
KDE Security Advisory: KGet Directory Traversal and Insecure File Operation
Original Release Date: 2010-05-13
1. Systems affected:
KGet as shipped with KDE SC 4.0.0 up to including KDE SC 4.4.3. Earlier
versions of KDE SC may also be affected.
1) The "name" attribute of the "file" element of metalink files is not
properly sanitized before being used to download files. If a user is
tricked into downloading from a specially-crafted metalink file, this can
be exploited to download files to directories outside of the intended
download directory via directory traversal attacks. (CVE-2010-1000)
2) In some versions of KGet (2.4.2) a dialog box is displayed allowing the
user to choose the file to download out of the options offered by the
metalink file. However, KGet will simply go ahead and start the download
after some time - even without prior acknowledgment of the user, and
overwriting already-existing files of the same name. (CVE-2010-1511)
The vulnerabilities were reported by and the above text provided by Stefan
Cornelius of Secunia Research.
1) Files may be created or overwritten in directories outside of a user's
intended download directory.
2) Files may be created or overwritten in a user's intended download
directory without acknowledgement of the user.
Source code patches have been made available which fix these
vulnerabilities. At the time of this writing most OS vendor / binary
package providers should have updated binary packages. Contact your OS
vendor / binary package provider for information about how to obtain
updated binary packages.
Patches have been committed to the KDE Subversion repository in the
following revision numbers:
4.3 branch: r1126227
4.4 branch: r1124974
Patches for KDE SC 4.3 and KDE SC 4.4 may be obtained directory from the
Subversion repository (no checkout needed) with the following command and
reference SHA1 sums:
4.3 branch: dc1b2af664fb4c74c018e9c6b02859b5c42ecd65
svn diff -r 1126226:1126227 \
4.4 branch: 3ed1b2333ba324e1fc6c1994cef1715eb0b6f457
svn diff -r 1124973:1124974 \