security bug in kget

TEST CASE: download attached metalink file with kget. 4.4.2-0ubuntu4 will download to /tmp. 4.4.2-0ubuntu4.1 will complain that it's an invalid file and refuse to download

This code was rewritten in KDE Sc 4.4 and did not exist in previous versions of KDE so no patch needed for older Ubuntu versions as far as I know, will confirm with other distros.

Both debdiffs built and tested locally by me and successfully pass the above test case

 kdenetwork_4.4.2-0ubuntu4.1 uploaded to lucid-security

embargoed until Thursday 13th May 0900 UTC

Hmm, upload says "This upload queue does not permit SECURITY uploads."

Oh sorry-- yeah, we need to process the uploads. The debdiffs are enough. What versions are affected? Is it only lucid?

After discussing with other distros there is a smaller patch needed for kdenetwork 4.3 (karmic) and 4.2 (jaunty). Older versions are not supported by Kubuntu.

Testing now

All versions passed the test case.

Jamie please upload to -security tomorrow (Thursday) at 0900UTC

I'll upload the packages to backports.

This are in the security queue now and building. ACK the CRD. I'll test those builds tonight and push tomorrow at the CRD. Thanks for your work on this! :)

NEW RELEASE TIME

embargo lift time is now 1100UTC (1300 central europe) on Thursday 13th May. Please release at lunch time.

ACK

In testing this locally, I found that the original attached foo.metalink file was malformed beyond the directory traversal issue which after patching would fail, but not because of the directory traversal check. Attached is a properly formed metalink file excepting the directory traversal.

Here is a valid metalink file for testing that no regressions were added.

Argh the jaunty debdiff didn't update the series file so the patch didn't get applied during the build. I'm uploading now.

Verified updated jaunty package fixes the issue.

Upped the priority to High since startup files can be modified to execute arbitrary code, which could easily start a reverse shell.

NEW RELEASE TIME

embargo lift time is now 1200UTC (1400 central europe) on Thursday 13th May. Please release /after/ lunch time.

ACK

Unembargoed just now:
        Publishing kdenetwork 4:4.4.2-0ubuntu4.1 to lucid-security ...
        Publishing kdenetwork 4:4.3.2-0ubuntu4.1 to karmic-security ...
        Publishing kdenetwork 4:4.2.2-0ubuntu2.3 to jaunty-security ...

These will be live in the next publishing run (ie, it will all start at 12:05 UTC).

This bug was fixed in the package kdenetwork - 4:4.4.2-0ubuntu4.1

---------------
kdenetwork (4:4.4.2-0ubuntu4.1) lucid-security; urgency=low

  * SECURITY UPDATE: file name directory traversal attack (LP: #578856).
   - Add debian/patches/kubuntu_01_kget_CVE-2010-1000.diff
   - kget/ui/metalinkcreator/metalinker.cpp check filename is valid
   - kget/transfer-plugins/metalink/metalink.cpp if the dialog was not accepted untick every file, so that the download does not start
   - CVE-2010-1000, SA39528
 -- Jonathan Riddell <email address hidden> Tue, 11 May 2010 16:26:45 +0100

This bug was fixed in the package kdenetwork - 4:4.3.2-0ubuntu4.1

---------------
kdenetwork (4:4.3.2-0ubuntu4.1) karmic-security; urgency=low

  * SECURITY UPDATE: file name directory traversal attack (LP: #578856).
   - Add debian/patches/kubuntu_01_kget_CVE-2010-1000.diff
   - kget/ui/metalinkcreator/metalinker.cpp check filename is valid
   - CVE-2010-1000, SA39528
 -- Jonathan Riddell <email address hidden> Wed, 12 May 2010 10:19:09 +0100

This bug was fixed in the package kdenetwork - 4:4.2.2-0ubuntu2.3

---------------
kdenetwork (4:4.2.2-0ubuntu2.3) jaunty-security; urgency=low

  * SECURITY UPDATE: file name directory traversal attack (LP: #578856).
   - Add debian/patches/kubuntu_01_kget_CVE-2010-1000.diff
   - kget/ui/metalinkcreator/metalinker.cpp check filename is valid
   - CVE-2010-1000, SA39528
 -- Jonathan Riddell <email address hidden> Wed, 12 May 2010 10:25:53 +0100

Fixed in maverick.