Bugzilla – Bug 604709
VUL-0: CVE-2010-1000: kget metalink directory traversal
Last modified: 2018-07-31 08:41:24 UTC
Your friendly security team received the following report via security@suse.de. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. Note that build.opensuse.org *cannot* be used to prepare embargoed updates. Specially crafted metalink files could cause kget to download files into directories other than the one the user selected.
Created attachment 361279 [details] kget_CVE-2010-1000.diff
All KDE 4 versions are affected and the metalink code was substantially rewritten for 4.4, requiring the patch to be rewritten for the older versions.
kget itself is only on 11.2 so I guess the bug is actually in kdelibs4?
it's kdenetwork4
The SWAMPID for this issue is 33269. This issue was rated as important. Please submit fixed packages as soon as possible. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Submitted for SLE11, SLE-11-SP1, openSUSE 11.1, openSUSE 11.2, and patched in openSUSE:Factory.
Will, is this package really on SLE11? I cannot find it.
Yes, SUSE:SLE-11:GA kdenetwork4
mass change P5 -> P3
http://kde.org/info/security/advisory-20100513-1.txt
Will, did we also fixed this one? "2) In some versions of KGet (2.4.2) a dialog box is displayed allowing the user to choose the file to download out of the options offered by the metalink file. However, KGet will simply go ahead and start the download after some time - even without prior acknowledgment of the user, and overwriting already-existing files of the same name. (CVE-2010-1511)"
Not necessary we haven't shipped the affected versions (2.4.0, 2.4.1, 2.4.2) in products, and 2.4.3 that will be in 11.3 is fixed upstream.
i see no submission in done/SLES11 nor in done/SLES11-SP1 ? DId you submit them?
what's the status here, can the patchinfos be canceled ("package not affected") or are we still waiting for fixes ?
Will?
Since dirk told me that our packages are not affected by this issue I've cancelled the workflow + this bug.
The SWAMPID for this issue is 33269. This issue was rated as moderate. Please submit fixed packages as soon as possible. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
needinfo satiosfied by Dirk.
Any news here?
I wrote this test application: #include <QtTest/QtTest> #include <qregexp.h> bool check(const QString& name) { if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) return true; return false; } void test() { QString test("/../foo/bla"); qDebug() << "1" << check("/../foo/bla"); qDebug() << "2" << check("../foo/bla"); qDebug() << "3" << check("bla/../foo/bla"); qDebug() << "4" << check("foo/bla/.."); qDebug() << "5" << check("foo/bla"); } int main() { test(); return 0; } the output is: 1 true 2 false 3 true 4 true 5 false Therefore I believe the patch is broken.
Will, could you please fix the patch and submit new packages?
I rewrote Dirk's test case to check the expected results. Am I right in understanding that all 5 tests should return true from check() as shown below? If so removing the initial $ from the regexp seems sufficient. #include <QtTest/QtTest> #include <qregexp.h> bool check(const QString& name) { if (name.contains(QRegExp("(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) { return true; } return false; } class TestDirTraversalTest : public QObject { Q_OBJECT private slots: void test() { QFETCH(QString, string); QFETCH(bool, result); QCOMPARE(check(string), result); } void test_data() { QTest::addColumn<QString>("string"); QTest::addColumn<bool>("result"); QTest::newRow("traversal up relative to root") << "/../foo/bla" << true; QTest::newRow("traversal up at beginning") << "../foo/bla" << true; QTest::newRow("traversal up inside") << "bla/../foo/bla" << true; QTest::newRow("traversal up at end") << "foo/bla/.." << true; QTest::newRow("traversal down, contains path component") << "foo/bla" << true; } }; QTEST_MAIN(TestDirTraversalTest) #include "test.moc"
foo/bla should be accepted as that just refers to a sub directory. You need to check whether the path contains "/../" or starts with "../" or ends in "/..". IOW split at '/' and check if any component is '..'.
Shouldn't the 5th case be rejected as well? What if foo/bla is etc/resolv.conf and I save in /?
If that works you run kget as root which means it's your own fault :-) The same applies to your home though. To fix that you'd have to always use the basename of all files. That would potentially break certain torrents that contain multiple files though I guess. OTOH it's a case of don't do that. You shouldn't extract arbitrary zip files in your home either after all.
eh, why did I think of torrents? no idea. Can metalink files actually contain multiple files?
Yes, directory information may be contained in the name attribute; see 4.1.2.2 at http://metalinker.org/Metalink_3.0_Spec.pdf.
so reject it if .startswith("/")..
Have new patches been submitted so we can re-submit PIs?
About to submit, these include fixes for non-security bugs as follows: 11.3: 653852 11.2: 653852 11.1: 653852, 525528, 516347 SLE11SP1: 635852, 516347 SLE11GA: 653852, 525528, 516347
The SWAMPID for this issue is 37285. This issue was rated as moderate. Please submit fixed packages until 2010-12-03. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
could you write/tel how to use/run the test application from comment #25 and #27?
did get info from Dirk
Update released for: kde4-kdnssd, kde4-kget, kde4-knewsticker, kde4-kopete, kde4-kopete-devel, kde4-kppp, kde4-krdc, kde4-krfb, kdenetwork4, kdenetwork4-debuginfo, kdenetwork4-debugsource, kdenetwork4-filesharing Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11 (i386, x86_64) SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Update released for: kdenetwork4, kdenetwork4-debugsource, kdenetwork4-filesharing, kdenetwork4-filesharing-debuginfo, kdnssd, kdnssd-debuginfo, kget, kget-debuginfo, kopete, kopete-debuginfo, kopete-devel, kppp, kppp-debuginfo, krdc, krdc-debuginfo, krfb, krfb-debuginfo Products: openSUSE 11.2 (debug, i586, x86_64) openSUSE 11.3 (debug, i586, x86_64)
Update released for: kde4-kdnssd, kde4-kget, kde4-knewsticker, kde4-kopete, kde4-kopete-devel, kde4-kppp, kde4-krdc, kde4-krfb, kdenetwork4, kdenetwork4-debuginfo, kdenetwork4-debugsource, kdenetwork4-filesharing Products: openSUSE 11.1 (debug, i586, ppc, x86_64)
Update released for: kde4-kdnssd, kde4-kget, kde4-knewsticker, kde4-kopete, kde4-kopete-devel, kde4-kppp, kde4-krdc, kde4-krfb, kdenetwork4, kdenetwork4-debuginfo, kdenetwork4-debugsource, kdenetwork4-filesharing, kdnssd, kget, kopete, kopete-devel, kppp, krdc, krfb Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
updates released
*** Bug 687873 has been marked as a duplicate of this bug. ***
This is an autogenerated message for OBS integration: This bug (604709) was mentioned in https://build.opensuse.org/request/show/39843 11.1 / kdenetwork4 https://build.opensuse.org/request/show/39847 11.2 / kdenetwork4 https://build.opensuse.org/request/show/40210 Factory / kdenetwork4 https://build.opensuse.org/request/show/53355 11.1:Test / kdenetwork4 https://build.opensuse.org/request/show/53356 11.2:Test / kdenetwork4 https://build.opensuse.org/request/show/53357 11.3:Test / kdenetwork4
This is an autogenerated message for OBS integration: This bug (604709) was mentioned in https://build.opensuse.org/request/show/626656 15.0 / kopete