Bug 883374 (CVE-2014-3494) - VUL-0: CVE-2014-3494: kdelibs4: KMail/KIO POP3 SSL MITM Flaw (CVE-2014-3494)
Summary: VUL-0: CVE-2014-3494: kdelibs4: KMail/KIO POP3 SSL MITM Flaw (CVE-2014-3494)
Status: RESOLVED FIXED
Alias: CVE-2014-3494
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P1 - Urgent : Critical
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-19 10:46 UTC by Forgotten User sM9JzehKpy
Modified: 2015-11-10 12:50 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Forgotten User sM9JzehKpy 2014-06-19 10:46:35 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2041.4 Safari/537.36

KDE Project Security Advisory
=============================

Title:          KMail/KIO POP3 SSL MITM Flaw
Risk Rating:    Medium
CVE:            CVE-2014-3494
Platforms:      All
Versions:       kdelibs 4.10.95 to 4.13.2
Author:         Richard J. Moore <rich@kde.org>
Date:           17 June 2014

Overview
========

The POP3 kioslave used by kmail will accept invalid certificates without
presenting a dialog to the user due a bug that leads to an inability to
display the dialog combined with an error in the way the result is checked.

Impact
======

This flaw allows an active attacker to perform MITM attacks against the
ioslave which could result in the leakage of sensitive data such as the
authentication details and the contents of emails.

Workaround
==========

None

Solution
========

Upgrade to version 4.13.3 or apply the patch at
http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=bbae87dc1be3ae063796a582774bd5642cacdd5d&hp=1ccdb43ed3b32a7798eec6d39bb3c83a6e40228f

Credits
=======

Thanks to Jim Scadden for reporting this issue and writing the initial fix,
and to David Faure for reviewing and improving the fix.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Forgotten User sM9JzehKpy 2014-06-19 11:29:37 UTC 
The Issue is with KDE 4.11 and up. So openSUSE 12.3 is not affected by this. Correcting the Product.
Comment 2 Forgotten User sM9JzehKpy 2014-06-19 11:35:12 UTC 
A maintenance update was created for openSUSE 13.1
Comment 3 Bernhard Wiedemann 2014-06-19 12:00:13 UTC 
This is an autogenerated message for OBS integration:
This bug (883374) was mentioned in
https://build.opensuse.org/request/show/238056 13.1 / kdelibs4-apidocs+kdelibs4
Comment 4 Johannes Segitz 2014-06-20 10:12:38 UTC 
Thank you for the report Raymond.

kde-maintainers@suse.de: Please ensure fix in SLE 12.
Comment 5 Swamp Workflow Management 2015-03-23 17:05:28 UTC 
openSUSE-SU-2015:0573-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 875470,883374,902670,905742,921999
CVE References: CVE-2014-0190,CVE-2014-3494,CVE-2014-8483,CVE-2014-8600,CVE-2015-0295
Sources used:
openSUSE 13.1 (src):    kdebase4-runtime-4.11.5-482.6, kdelibs4-4.11.5-488.2, kdelibs4-apidocs-4.11.5-488.3, konversation-1.5.1-3.4.3, kwebkitpart-1.3.3-2.4.1, libqt4-4.8.5-5.17.1, libqt4-devel-doc-4.8.5-5.17.2, libqt4-sql-plugins-4.8.5-5.17.1
Comment 6 Johannes Segitz 2015-11-10 12:50:13 UTC 
Update released