#2009-015 KDE multiple issues Description: KDE, an open source desktop environment, suffers from several bugs that pose a security risk. The oCERT team was contacted by Portcullis Security requesting help in handling a series of issues reported to the KDE project back in July 2007. Because of an extended period of non-disclosure Portcullis decided to resubmit the issues to KDE and contacted oCERT asking for assistance in disclosure coordination. Ark input sanitization errors: The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. IO Slaves input sanitization errors: KDE protocol handlers perform insufficient input validation, an attacker can craft malicious URI that would trigger JavaScript execution. Additionally the 'help://' protocol handler suffer from directory traversal. It should be noted that the scope of this issue is limited as the malicious URIs cannot be embedded in Internet hosted content. KMail input sanitization errors: The KDE mail client, KMail, performs insufficient validation which leads to specially crafted email attachments, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites. The exploitation of these vulnerabilities is unlikely according to Portcullis and KDE but the execution of active content is nonetheless unexpected and might pose a threat. All the reported issues have been patched. Affected version: KDE < 4.3.2 Fixed version: KDE >= 4.3.3 Credit: Tim Brown, Portcullis Computer Security Ltd. CVE: N/A Timeline: 2009-02-18: vulnerability report received 2009-02-19: contacted KDE security team 2009-03-05: KDE acknowledges the report, provides preliminary analysis for the reported issues 2009-03-18: Portcullis provides additional information 2009-04-29: KDE provides preliminary patches 2009-05-27: KDE reports that they are communicating directly with Portcullis on the reported issues 2009-06-15: Portcullis provides updated advisories for review 2009-06-18: oCERT asks KDE review of Portcullis advisories 2009-09-23: KDE reports that all issues have been fixed 2009-10-02: KDE reports additional feedback about the fixes 2009-10-15: KDE commits all outstanding fixes 2009-10-27: advisory release References: http://www.davidfaure.fr/2009/xmlhttprequest_3.x.diff http://websvn.kde.org/?view=revision&revision=1035539 http://websvn.kde.org/?view=revision&revision=1030579 http://websvn.kde.org/?view=revision&revision=938003 Permalink: http://www.ocert.org/advisories/ocert-2009-015.html -- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"