Bugzilla – Bug 868682
VUL-0: CVE-2014-2527 CVE-2014-2528: kdirstat: command injection in kcleanup
Last modified: 2019-07-22 14:36:58 UTC
OSS:12368 From: Murray McAllister <mmcallis@redhat.com> Good morning, Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) tool did not correctly escape quotes when deleting a directory permanently. Attempting to use KDirStat to permanently delete a directory that has a malicious name could result in arbitrary command execution. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659 The Debian report is about single quotes. On Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were needed. Can a CVE please be assigned if one has not been already? (And maybe it should be escaping ';' too if not already?) Thanks, References: http://comments.gmane.org/gmane.comp.security.oss.general/12368 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741659 https://bugzilla.redhat.com/show_bug.cgi?id=1077059
the command start logic in kcleanup really needs polish. could use the generic KDE versions (there must be some).
bugbot adjusting priority
from mitre > The Debian report is about single quotes. On Fedora > (https://bugzilla.redhat.com/show_bug.cgi?id=1077059) double quotes were > needed. The recent upstream patch: https://bitbucket.org/jeromerobert/k4dirstat/commits/1ad2e96d73fa06cd9be0f3749b337c03575016aa#chg-src/kcleanup.cpp addressed the ' issue using the '\\'' approach. http://dl.fedoraproject.org/pub/fedora/linux/releases/19/Everything/source/SRPMS/k/k4dirstat-2.7.0-0.9.20101010git6c0a9e6.fc19.src.rpm has: expanded.replace( QRegExp( "%p" ), "\"" + QString::fromLocal8Bit( item->url() ) + "\"" ); expanded.replace( QRegExp( "%n" ), "\"" + QString::fromLocal8Bit( item->name() ) + "\"" ); As mentioned in the http://openwall.com/lists/oss-security/2014/02/09/1 post, attempted use of " for this type of quoting is a conceptually different problem than attempted use of ' for this type of quoting, even if both attempts are ultimately incorrect. (We did not try to check whether the upstream version made a change from incorrect use of " to incorrect use of ' at some point. This could be considered an incomplete fix.) Use CVE-2014-2527 for the vulnerability involving use of " (as shown in the above calls to expanded.replace). This CVE assignment applies to any upstream code or any Fedora-specific code that has this specific issue. Use CVE-2014-2528 for the vulnerability involving use of ' (as shown in the above https://bitbucket.org commit). If anyone happens to identify a version of the code that does not attempt any type of quoting, a third CVE assignment may be possible. > (And maybe it should be escaping ';' too if not already?) This would typically not be addressed as a separate fix.
lets do an update for SLE too, if affected.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-07-14. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58119
Affected packages: SLE-10-SP3-TERADATA: kdirstat SLE-11-SP3: kdirstat
I have patchinfos for sle9-sp3-tera and sle10-sp3 ... anything coming up for these ?
SUSE-SU-2014:0930-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 868682 CVE References: CVE-2014-2527,CVE-2014-2528 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): kdirstat-2.4.4-255.28.1 SUSE Linux Enterprise Server 11 SP3 (src): kdirstat-2.4.4-255.28.1 SUSE Linux Enterprise Desktop 11 SP3 (src): kdirstat-2.4.4-255.28.1
openSUSE updates are still missing.. KDE Maintainers?
This is an autogenerated message for OBS integration: This bug (868682) was mentioned in https://build.opensuse.org/request/show/242828 13.1 / kdirstat
openSUSE-SU-2014:0984-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 868682 CVE References: CVE-2014-2528 Sources used: openSUSE 13.1 (src): kdirstat-2.4.4-273.4.1
thanks!