Debian Bug report logs -
#839865
kde-cli-tools: CVE-2016-7787
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 5 Oct 2016 19:51:02 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version kde-cli-tools/4:5.7.4-1
Fixed in version kde-cli-tools/4:5.8.0-1
Done: Maximiliano Curia <maxy@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#839865; Package src:kde-cli-tools.
(Wed, 05 Oct 2016 19:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Wed, 05 Oct 2016 19:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: kde-cli-tools
Version: 4:5.7.4-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for kde-cli-tools.
CVE-2016-7787[0]:
kdesu: Displayed command truncated by unicode string terminator
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7787
[1] https://www.kde.org/info/security/advisory-20160930-1.txt
Please adjust the affected versions in the BTS as needed. I'm not sure
if kde-runtime is as well affected (it looks source wise, since the
same file can be patched).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#839865; Package src:kde-cli-tools.
(Thu, 06 Oct 2016 00:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Balint Reczey <balint@balintreczey.hu>:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Thu, 06 Oct 2016 00:33:03 GMT) (full text, mbox, link).
Message #10 received at 839865@bugs.debian.org (full text, mbox, reply):
On Wed, 05 Oct 2016 21:48:58 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi,
>
> the following vulnerability was published for kde-cli-tools.
>
> CVE-2016-7787[0]:
> kdesu: Displayed command truncated by unicode string terminator
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-7787
> [1] https://www.kde.org/info/security/advisory-20160930-1.txt
>
> Please adjust the affected versions in the BTS as needed. I'm not sure
> if kde-runtime is as well affected (it looks source wise, since the
> same file can be patched).
It seems both Jessie and Wheezy are affected in some way.
Both show the command in the dialog, but on my vagrant VM installations
the string terminator was not interpreted on Wheezy, just on Jessie.
Test command: kdesudo ls $(printf 'aa\u9chidden')
On Jessie it shows the following dialog:
+-----------------------------------------------------------------------
| ls aa[]hidden needs administrative privileges. Please eneter your
| password.
|
| Command ls aa
| Password:|
| OK Cancel
+-----------------------------------------------------------------------
Thus the string terminator takes effect only once.
On Wheezy the dialog looks like this:
+-----------------------------------------------------------------------
| ls aa[?]hidden needs administrative privileges. Please eneter your
| password.
|
| Command ls aa[?]hidden
| Password:|
| OK Cancel
+-----------------------------------------------------------------------
[],[?] - block showing unknown unicode character
Cheers,
Balint
Reply sent
to Maximiliano Curia <maxy@debian.org>:
You have taken responsibility.
(Fri, 07 Oct 2016 13:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 07 Oct 2016 13:09:05 GMT) (full text, mbox, link).
Message #15 received at 839865-close@bugs.debian.org (full text, mbox, reply):
Source: kde-cli-tools
Source-Version: 4:5.8.0-1
We believe that the bug you reported is fixed in the latest version of
kde-cli-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 839865@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Maximiliano Curia <maxy@debian.org> (supplier of updated kde-cli-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Oct 2016 14:02:03 +0200
Source: kde-cli-tools
Binary: kde-cli-tools kde-cli-tools-data
Architecture: source
Version: 4:5.8.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Maximiliano Curia <maxy@debian.org>
Description:
kde-cli-tools - tools to use KDE services from the command line
kde-cli-tools-data - tools to use kioslaves from the command line
Closes: 839865
Changes:
kde-cli-tools (4:5.8.0-1) unstable; urgency=medium
.
[ Automatic packaging ]
* Update build-deps and deps with the info from cmake
.
[ Harald Sitter ]
* bdep on pkg-config as per upstream cmake checks
.
[ Maximiliano Curia ]
* New upstream release. (Closes: #839865)
- Fixes CVE-2016-7787
https://security-tracker.debian.org/tracker/CVE-2016-7787
* Replace dbus-launch with dbus-run-session in tests
* Bump group breaks (5.8)
Checksums-Sha1:
a0c5c6da6214b8403d9daa86abb1b8ce95e1124c 2668 kde-cli-tools_5.8.0-1.dsc
3534e52c97f2f7eaa433d262e9d9ded503863aa1 485448 kde-cli-tools_5.8.0.orig.tar.xz
ae06e13b7d001badf1e1cda0f81198459d1d6c19 6840 kde-cli-tools_5.8.0-1.debian.tar.xz
Checksums-Sha256:
15e067e458c8d3bde4cb8bd871602683ce47437757b369903b306799d5bdc56b 2668 kde-cli-tools_5.8.0-1.dsc
8561295ef8892d947a91b25cb4cddbb6c5cc40b39657a6cfc6fe4cfd98e728a6 485448 kde-cli-tools_5.8.0.orig.tar.xz
1b0f47d555713fb7bcc18f6793252bd51bd6286009e2f8104b211dc528c17cee 6840 kde-cli-tools_5.8.0-1.debian.tar.xz
Files:
7a45715acedcdb2227302e52d48d4d57 2668 utils optional kde-cli-tools_5.8.0-1.dsc
bbd1e8fbb1965b2675d787b6dcfedafe 485448 utils optional kde-cli-tools_5.8.0.orig.tar.xz
e4b0364c9d8659e4d567c6048557c104 6840 utils optional kde-cli-tools_5.8.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJX95jBAAoJEMcZdpmymyMqfMsP/337D4XNq8VrxPxif+TO3B1v
wfW7LKSNwRxLNyN2GzKLqxQlB2tJTw+ezbz8TIyUGD9FHoyW5kEhoyG6r1kcORPk
VdrYzmmCQrp0ER1r2dP8W/aKG7tvKeQ3m8lUqS2l7bv/R+BXJDZ6r6QmgoJJJb2B
A6LWRIke5IgQao61DvhQhmMgwUGRXQ5idEGmwtEq4v/nb6U2PbJJ/o0bGIpXqgW1
hP5JCC+IlYhY7uxlcgqW0/dG3nwrWiS2ZEFaNuesp8Q/HbTS6lFO7dLQQrGCIL3O
/SBzoAY7kw4krv769cXonL5U5M9GHDQyDt6yr+HE3TD+P174ohyBm9qj/iFbui3T
LCP7nGkbBMdHYE/DYKxp/23PGGPg+Cji3fxeSY0gKbHB7L3FyspC34KDKb2iAQEL
mMhT+lGX4EPvkFsyvh5xIiIjaZ42vSNFvvIwFIGPrcU2s4sO9M/8K7XGywhEKdgX
KPnsb7WmnigYC43eQLG2B8wOcOOhOwzHWjXQuoZjMWJbXdnhmf+ODZL8a3d1KMO7
GUhpg/2e7NgF0c22cf7cDDeYrc+BzfSG4IV7f2FjSm66udngRl6fLtrxwub7xyqN
JYh7sPtSVkI9DfXn0JDeLpKeVTXuNSvAZvQfLNe43xASVEFDgJOBUkYQ7LqSG67Y
TZsowdjastzmKu4b3LYz
=CXsz
-----END PGP SIGNATURE-----
Bug 839865 cloned as bug 842498
Request was from Bálint Réczey <balint@balintreczey.hu>
to control@bugs.debian.org.
(Sat, 29 Oct 2016 17:36:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 10:21:19 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:58:54 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 10:33:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:25:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon