Debian Bug report logs -
#546212
CVE-2009-2702: KDE KSSL NULL Character Certificate Spoofing Vulnerability
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Fri, 11 Sep 2009 17:42:02 UTC
Severity: serious
Tags: security
Fixed in versions kdelibs/4:3.5.10.dfsg.1-2.1, kdelibs/4:3.5.5a.dfsg.1-8etch4
Done: Giuseppe Iuculano <iuculano@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#546212; Package kdelibs,kde4libs.
(Fri, 11 Sep 2009 17:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Fri, 11 Sep 2009 17:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: kdelibs,kde4libs
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kdelibs and kde4libs.
CVE-2009-2702[0]:
| KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
| '\0' character in a domain name in the Subject Alternative Name field
| of an X.509 certificate, which allows man-in-the-middle attackers to
| spoof arbitrary SSL servers via a crafted certificate issued by a
| legitimate Certification Authority, a related issue to CVE-2009-2408.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2702
http://security-tracker.debian.net/tracker/CVE-2009-2702
Cheers,
Giuseppe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqqhtMACgkQNxpp46476ao+jQCgjGZaW64GZRrVZpcGFAxW4+Ap
FpMAn2EWIhIe+Qgd0RBvO3abWnsLtRF2
=LoWY
-----END PGP SIGNATURE-----
Bug reassigned from package 'kdelibs,kde4libs' to 'kdelibs'.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Fri, 11 Sep 2009 18:12:06 GMT) (full text, mbox, link).
Bug 546212 cloned as bug 546218.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Fri, 11 Sep 2009 18:12:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#546212; Package kdelibs.
(Wed, 14 Oct 2009 09:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Wed, 14 Oct 2009 09:33:05 GMT) (full text, mbox, link).
Message #14 received at 546212@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Attached is a debdiff of the changes I made for 4:3.5.10.dfsg.1-2.1 0-day NMU.
Cheers,
Giuseppe
[kdelibs_3.5.10.dfsg.1-2.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility.
(Wed, 14 Oct 2009 11:21:26 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Wed, 14 Oct 2009 11:21:26 GMT) (full text, mbox, link).
Message #19 received at 546212-close@bugs.debian.org (full text, mbox, reply):
Source: kdelibs
Source-Version: 4:3.5.10.dfsg.1-2.1
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
to pool/main/k/kdelibs/kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb
to pool/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb
kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
to pool/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
to pool/main/k/kdelibs/kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
to pool/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
kdelibs_3.5.10.dfsg.1-2.1.diff.gz
to pool/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-2.1.diff.gz
kdelibs_3.5.10.dfsg.1-2.1.dsc
to pool/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-2.1.dsc
kdelibs_3.5.10.dfsg.1-2.1_all.deb
to pool/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-2.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 546212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 14 Oct 2009 09:57:26 +0200
Source: kdelibs
Binary: kdelibs kdelibs-data kdelibs4c2a kdelibs4-dev kdelibs4-doc kdelibs-dbg
Architecture: source all i386
Version: 4:3.5.10.dfsg.1-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
kdelibs - core libraries from the official KDE release
kdelibs-data - core shared data for all KDE applications
kdelibs-dbg - debugging symbols for kdelibs
kdelibs4-dev - development files for the KDE core libraries
kdelibs4-doc - developer documentation for the KDE core libraries
kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 534949 534949 546212
Changes:
kdelibs (4:3.5.10.dfsg.1-2.1) unstable; urgency=high
.
* Non-maintainer upload by the testing Security Team.
* Fixed CVE-2009-1687: An integer overflow, leading to heap-based buffer
overflow was found in the KDE implementation of garbage collector for the
JavaScript language (KJS).
* Fixed CVE-2009-1690: KDE HTML parser incorrectly handled content, forming
the HTML page <head> element. A remote attacker could use this flaw to
cause a denial of service (konqueror crash) or, potentially, execute
arbitrary code, with the privileges of the user running "konqueror" web
browser, if the victim was tricked to open a specially-crafted HTML page.
(Closes: #534949)
* Fixed CVE-2009-1698: KDE's Cascading Style Sheets (CSS) parser incorrectly
handled content, forming the value of CSS "style" attribute. A remote
attacker could use this flaw to cause a denial of service (konqueror crash)
or potentially execute arbitrary code with the privileges of the user
running "konqueror" web browser, if the victim visited a specially-crafted
CSS equipped HTML page. (Closes: #534949)
* Fixed CVE-2009-2702: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not
properly handle a '\0' character in a domain name in the Subject
Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification Authority (Closes: #546212)
Checksums-Sha1:
504fd9e9dd1ffbbda2b654ad681ba3388ee6c14e 2230 kdelibs_3.5.10.dfsg.1-2.1.dsc
d12ff23264c4d4c78835e3389fd8cbdf662dcccc 657806 kdelibs_3.5.10.dfsg.1-2.1.diff.gz
2bf9237e425be86e35661d494abf236808c2d41a 30134 kdelibs_3.5.10.dfsg.1-2.1_all.deb
3bf227f539914b357886aa7345ede1df3d751731 8718404 kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
0981d0e43afee520bf2f9fe73298ba646a5178d0 26876690 kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
72da39a38c3f0c7d8389ab067d67c50fff71fa47 10306148 kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
0fb0f0067556a75f01da4c57113fe541a10153cf 1441552 kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
2641630f70d67eba1b2bfff4f231ffbd69d9d523 26850578 kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb
Checksums-Sha256:
c9be2e68f7734afd36ad36dfd4e3922d621c9704f76ba6f7e74041a7344db979 2230 kdelibs_3.5.10.dfsg.1-2.1.dsc
f03c839ee8890787961411ec4ec8c31a7948946991c398f1532371c2ded52e15 657806 kdelibs_3.5.10.dfsg.1-2.1.diff.gz
7e54dae986afa8f82328d51912ddc4cbab3a3a70a8f7e9df9642c20994f399ab 30134 kdelibs_3.5.10.dfsg.1-2.1_all.deb
43f5de0902b43e8b5de42618c8a6dc0cf66a72fce0f631e176f33e281347f6f2 8718404 kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
038fabef9b00af6b8807d1fb0ffdcb008a8b79ba9125757f9ba96570e6548f4f 26876690 kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
e56fa11511f123272c152c9d52bee746713a845aff9ae221ec350a99f105abef 10306148 kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
0945488b45e9ee8733dcf81a31189515aac0fed0a27b15c882657c2bf8d7531d 1441552 kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
75b95353dd45a0e66b40333a0b19d26f4e3838602b782e4e499f2afb84030a30 26850578 kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb
Files:
8f021af421cb2d1badfbf3fa43d1a38e 2230 libs optional kdelibs_3.5.10.dfsg.1-2.1.dsc
aa060ab549a04763ee2dec80282a3bb1 657806 libs optional kdelibs_3.5.10.dfsg.1-2.1.diff.gz
9ad9183442a86eae391cdae28d43e15a 30134 libs optional kdelibs_3.5.10.dfsg.1-2.1_all.deb
3a24f98d46d4f750e37ee00869f0605f 8718404 libs optional kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
3f22d5422b42a0a87e1ed85135fae9d8 26876690 doc optional kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
debfeb004c10df7412ca24e055186105 10306148 libs optional kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
4564cd5e347739081afa335d52fa4c5c 1441552 libdevel optional kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
60b143ce4e602840fc1bf96bb9fe274f 26850578 libdevel extra kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrVmYgACgkQNxpp46476aqOHwCdEzbBD4cG/QjWu4DWK0UuHzwM
c44An06wYnDYXL4LsQfZe1G1GryYwV/z
=I17X
-----END PGP SIGNATURE-----
Reply sent
to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility.
(Sat, 24 Oct 2009 20:12:04 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Sat, 24 Oct 2009 20:12:04 GMT) (full text, mbox, link).
Message #24 received at 546212-close@bugs.debian.org (full text, mbox, reply):
Source: kdelibs
Source-Version: 4:3.5.5a.dfsg.1-8etch4
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-data_3.5.5a.dfsg.1-8etch4_all.deb
to pool/main/k/kdelibs/kdelibs-data_3.5.5a.dfsg.1-8etch4_all.deb
kdelibs-dbg_3.5.5a.dfsg.1-8etch4_i386.deb
to pool/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch4_i386.deb
kdelibs4-dev_3.5.5a.dfsg.1-8etch4_i386.deb
to pool/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch4_i386.deb
kdelibs4-doc_3.5.5a.dfsg.1-8etch4_all.deb
to pool/main/k/kdelibs/kdelibs4-doc_3.5.5a.dfsg.1-8etch4_all.deb
kdelibs4c2a_3.5.5a.dfsg.1-8etch4_i386.deb
to pool/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch4_i386.deb
kdelibs_3.5.5a.dfsg.1-8etch4.diff.gz
to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch4.diff.gz
kdelibs_3.5.5a.dfsg.1-8etch4.dsc
to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch4.dsc
kdelibs_3.5.5a.dfsg.1-8etch4_all.deb
to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 546212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 16 Oct 2009 08:57:21 +0200
Source: kdelibs
Binary: kdelibs4c2a kdelibs kdelibs4-doc kdelibs-dbg kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.5.5a.dfsg.1-8etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description:
kdelibs - core libraries from the official KDE release
kdelibs-data - core shared data for all KDE applications
kdelibs-dbg - debugging symbols for kdelibs
kdelibs4-dev - development files for the KDE core libraries
kdelibs4-doc - developer documentation for the KDE core libraries
kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 546212
Changes:
kdelibs (4:3.5.5a.dfsg.1-8etch4) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2009-2702: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not
properly handle a '\0' character in a domain name in the Subject
Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification Authority (Closes: #546212)
Files:
430e1a184def8c61269ebd4236ecf902 1636 libs optional kdelibs_3.5.5a.dfsg.1-8etch4.dsc
616c29ec7f685e9b10c802eb6879d912 601207 libs optional kdelibs_3.5.5a.dfsg.1-8etch4.diff.gz
f4697ef70a2bc020b1c633c92981e81f 34648 libs optional kdelibs_3.5.5a.dfsg.1-8etch4_all.deb
a1326c3e10f4a1696b9d73115b417061 8607892 libs optional kdelibs-data_3.5.5a.dfsg.1-8etch4_all.deb
83be81e20b84b786c47a3351a3600c77 40162414 doc optional kdelibs4-doc_3.5.5a.dfsg.1-8etch4_all.deb
3bd6b5136465fbc6eb18f1112cbd3b58 9738260 libs optional kdelibs4c2a_3.5.5a.dfsg.1-8etch4_i386.deb
7ecda9b7973b7122035828d49c26864a 1380274 libdevel optional kdelibs4-dev_3.5.5a.dfsg.1-8etch4_i386.deb
63b27cabf41954b3b7d1f3a247d16573 26272380 libdevel extra kdelibs-dbg_3.5.5a.dfsg.1-8etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrYR44ACgkQNxpp46476aodxwCdEP49HQ+d6vdkWe4g0IutBTh7
sIsAn22CMGXCFaaYA6K4aei6Zh4lMPMU
=irNr
-----END PGP SIGNATURE-----
Bug 546212 cloned as bug 553209.
Request was from Helge Kreutzmann <debian@helgefjell.de>
to control@bugs.debian.org.
(Thu, 29 Oct 2009 18:36:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Nov 2009 07:27:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:39:08 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon