kde4libs: CVE-2013-2074: prints passwords contained in HTTP URLs in error messages

Debian Bug report logs - #707776
kde4libs: CVE-2013-2074: prints passwords contained in HTTP URLs in error messages

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: kde4libs: CVE-2013-2074: prints passwords contained in HTTP URLs in error messages

Date: Sat, 11 May 2013 10:30:54 +0200

Package: kde4libs
Version: 4:4.8.4-4
Severity: important
Tags: security patch
Control: forwarded -1 https://bugs.kde.org/show_bug.cgi?id=319428

Hi,

the following vulnerability was published for kde4libs.

CVE-2013-2074[0]:
prints passwords contained in HTTP URLs in error messages

Upstream Bugreport is [1] containing a patch [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074
    http://security-tracker.debian.org/tracker/CVE-2013-2074
[1] https://bugs.kde.org/show_bug.cgi?id=319428
[2] https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp

Please adjust the affected versions in the BTS as needed, the version
in wheezy, testing and unstable looks affected. (oldstable and
experimental are not checked).

Regards,
Salvatore

Message #16 received at 707776@bugs.debian.org (full text, mbox, reply):

From: Andrew Goodbody <ajg02@elfringham.co.uk>

To: 707776@bugs.debian.org

Subject: Why is 4.10.5 marked as vulnerable, fix was in 4.10.4?

Date: Sun, 25 Aug 2013 22:48:43 +0100

The upstream fixes mentioned in [1] appear to have gone into 4.10.4. 
Looking at the Debian source [2] for the package in Sid, ie 4.10.5 shows 
the fixes included.

So why does CVE-2013-2074 [3] show sid as vulnerable?


[1] https://bugs.kde.org/show_bug.cgi?id=319428
[2] http://sources.debian.net/src/kde4libs/4:4.10.5-1/kioslave/http/http.cpp
[3] https://security-tracker.debian.org/tracker/CVE-2013-2074

Message #21 received at 707776-done@bugs.debian.org (full text, mbox, reply):

From: "Lisandro Damián Nicanor Pérez Meyer" <perezmeyer@gmail.com>

To: Andrew Goodbody <ajg02@elfringham.co.uk>, 707776-done@bugs.debian.org

Subject: Re: Bug#707776: Why is 4.10.5 marked as vulnerable, fix was in 4.10.4?

Date: Tue, 27 Aug 2013 23:08:47 -0300

[Message part 1 (text/plain, inline)]

Version: 4:4.10.5-1

On Sunday 25 August 2013 22:48:43 Andrew Goodbody wrote:
> The upstream fixes mentioned in [1] appear to have gone into 4.10.4.
> Looking at the Debian source [2] for the package in Sid, ie 4.10.5 shows
> the fixes included.
> 
> So why does CVE-2013-2074 [3] show sid as vulnerable?

Simply because no one properly closed this bug, which I'm doing now. We have 
lots of bugs and very few people for triaging them.

Thanks a lot for pointing this out. If you find more stuff like this, please 
do not heasitate in communicationg with us as in this case.

Regards, Lisandro.

-- 
"If I have been able to see farther, it was only because I stood on the
shoulders of giants"
 Sir Isaac Newton

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.