SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   KDE Vendors:   KDE.org
KDE KGet Contains File Overwrite and Directory Traversal Bugs
SecurityTracker Alert ID:  1023984
SecurityTracker URL:  http://securitytracker.com/id/1023984
CVE Reference:   CVE-2010-1000, CVE-2010-1511, CVE-2011-1586   (Links to External Site)
Updated:  Apr 21 2011
Original Entry Date:  May 13 2010
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): KDE SC 4.0.0 up to including KDE SC 4.4.3
Description:   Two vulnerabilities were reported in KDE KGet. A remote user can cause files to be downloaded to arbitrary directories on the target system. A remote user can cause certain files to be overwritten on the target system.

A remote user can supply a specially crafted 'name' attribute of the 'file' element of a metalink file. When the metalink file is downloaded, the file will be stored in a directory on the target system that is located outside of the download directory [CVE-2010-1000].

When KGet displays a dialog box to allow the user to choose certain metalink file options, the file will be downloaded after a period of time without user input. The file will overwrite any existing file of the same name [CVE-2010-1511].

Stefan Cornelius of Secunia Research reported these vulnerabilities.
Impact:   A remote user can cause files to be downloaded to arbitrary directories on the target system.

A remote user can cause certain files to be overwritten on the target system.
Solution:   The vendor has issued source code fixes and patches, described in their advisory.

The vendor's advisory is available at:

http://www.kde.org/info/security/advisory-20100513-1.txt

[Editor's note: The original fix for CVE-2010-1000 was incomplete. The incomplete fix has been assigned CVE-2011-1586. The vendor has issued a source code fix in April 2011. The vendor's advisory is available at: https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/757526]
Vendor URL:  www.kde.org/info/security/advisory-20100513-1.txt (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 21 2011 (Red Hat Issues Fix) KDE KGet Contains File Overwrite and Directory Traversal Bugs   (bugzilla@redhat.com)
Red Hat has issued a fix for CVE-2011-1586 for Red Hat Enterprise Linux 6.


 Source Message Contents
Date:  Thu, 13 May 2010 17:07:02 +0000
Subject:  KDE KGet


KDE Security Advisory: KGet Directory Traversal and Insecure File Operation
Vulnerabilities
Original Release Date: 2010-05-13
URL: http://www.kde.org/info/security/advisory-20100513-1.txt

0. References:
	CVE-2010-1000
    CVE-2010-1511
    SA39528

1. Systems affected:

	KGet as shipped with KDE SC 4.0.0 up to including KDE SC 4.4.3. Earlier
    versions of KDE SC may also be affected.

2. Overview:

    1) The "name" attribute of the "file" element of metalink files is not
    properly sanitized before being used to download files. If a user is
    tricked into downloading from a specially-crafted metalink file, this can
    be exploited to download files to directories outside of the intended
    download directory via directory traversal attacks. (CVE-2010-1000)

    2) In some versions of KGet (2.4.2) a dialog box is displayed allowing the
    user to choose the file to download out of the options offered by the
    metalink file. However, KGet will simply go ahead and start the download
    after some time - even without prior acknowledgment of the user, and
    overwriting already-existing files of the same name. (CVE-2010-1511)

    The vulnerabilities were reported by and the above text provided by Stefan
    Cornelius of Secunia Research. 

3. Impact:

    1) Files may be created or overwritten in directories outside of a user's
    intended download directory.

    2) Files may be created or overwritten in a user's intended download
    directory without acknowledgement of the user.

4. Solution:

	Source code patches have been made available which fix these
    vulnerabilities. At the time of this writing most OS vendor / binary
    package providers should have updated binary packages. Contact your OS
    vendor / binary package provider for information about how to obtain
    updated binary packages.

5. Patch:

    Patches have been committed to the KDE Subversion repository in the
    following revision numbers:

    4.3 branch: r1126227
    4.4 branch: r1124974
    Trunk: r1124976

    Patches for KDE SC 4.3 and KDE SC 4.4 may be obtained directory from the
    Subversion repository (no checkout needed) with the following command and
    reference SHA1 sums:

    4.3 branch: dc1b2af664fb4c74c018e9c6b02859b5c42ecd65
    svn diff -r 1126226:1126227 \
    svn://anonsvn.kde.org/home/kde/branches/KDE/4.3/kdenetwork

    4.4 branch: 3ed1b2333ba324e1fc6c1994cef1715eb0b6f457
    svn diff -r 1124973:1124974 \
    svn://anonsvn.kde.org/home/kde/branches/KDE/4.4/kdenetwork


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC