[Bug 1178286] Re: Security advisory from KDE upstream
This bug was fixed in the package kde4libs - 4:4.8.5-0ubuntu0.2 --- kde4libs (4:4.8.5-0ubuntu0.2) precise-security; urgency=low * SECURITY UPDATE: information disclosure via error notifications - debian/patches/kubuntu_use_pretty_url.diff: update kioslave/http/http.cpp to use prettyUrl() - CVE-2013-2074 - LP: #1178286 -- Rohan GargThu, 09 May 2013 16:36:38 +0100 ** Changed in: kde4libs (Ubuntu Precise) Status: Fix Committed => Fix Released ** Changed in: kde4libs (Ubuntu Quantal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
This bug was fixed in the package kde4libs - 4:4.9.5-0ubuntu0.2 --- kde4libs (4:4.9.5-0ubuntu0.2) quantal-security; urgency=low * SECURITY UPDATE: information disclosure via error notifications - debian/patches/kubuntu_use_pretty_url.diff: update kioslave/http/http.cpp to use prettyUrl() - CVE-2013-2074 - LP: #1178286 -- Rohan GargThu, 09 May 2013 17:04:18 +0100 ** Changed in: kde4libs (Ubuntu Raring) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
This bug was fixed in the package kde4libs - 4:4.10.2-0ubuntu2.2 --- kde4libs (4:4.10.2-0ubuntu2.2) raring-security; urgency=low * SECURITY UPDATE: information disclosure via error notifications - debian/patches/kubuntu_use_pretty_url.diff: update kioslave/http/http.cpp to use prettyUrl() - CVE-2013-2074 - LP: #1178286 -- Jamie StrandbogeTue, 28 May 2013 16:12:34 -0500 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Thanks alot Jamie :) -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
** Changed in: kde4libs (Ubuntu Precise) Status: Confirmed => Fix Committed ** Changed in: kde4libs (Ubuntu Quantal) Status: Confirmed => Fix Committed ** Changed in: kde4libs (Ubuntu Raring) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Thanks for the debdiffs! They are mostly fine, bug I have a couple of comments: * they only mention one of the commits in the patch headers. The code itself has both 898135a59d91184692ed1bcee8bb4c6d80d6f7b9 and 65d736dab592bced4410ccfa4699de89f78c96ca, but the patch headers only list 65d736dab592bced4410ccfa4699de89f78c96ca. * the precise debdiff needed to have the patch refreshed * the raring debdiff does not properly apply because there is no trailing newline * while not required, typically the patch will include the CVE number. Ie, instead of kubuntu_use_pretty_url.diff you might use CVE-2013-2074.diff * the changelog does not use the format as described in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging Eg, properly formatted changelog entry for -security might be: kde4libs (4:4.9.5-0ubuntu0.2) quantal-security; urgency=low * SECURITY UPDATE: information disclosure via error notifications - debian/patches/kubuntu_use_pretty_url.diff: update kioslave/http/http.cpp to use prettyUrl() - CVE-2013-2074 - LP: #1178286 I've gone ahead and fixed these issues and uploaded. Thanks again! -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
** Changed in: kde4libs (Ubuntu Precise) Status: New => Confirmed ** Changed in: kde4libs (Ubuntu Quantal) Status: New => Confirmed ** Changed in: kde4libs (Ubuntu Raring) Status: New => Confirmed -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Updated patch for Precise ** Patch added: "precise.diff" https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/+attachment/3685998/+files/precise.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Updated patch for Quantal ** Patch added: "quantal.diff" https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/+attachment/3685997/+files/quantal.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Updated patch for raring ** Patch removed: "oneiric.diff" https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/+attachment/3671274/+files/oneiric.diff ** Patch removed: "precise.diff" https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/+attachment/3671275/+files/precise.diff ** Patch removed: "quantal.diff" https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/+attachment/3671276/+files/quantal.diff ** Patch removed: "raring.diff" https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/+attachment/3671277/+files/raring.diff ** Patch added: "raring.diff" https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/+attachment/3685996/+files/raring.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Maybe the changelog needs to be edited a bit before uploading, but the gist of the issue is that the user's password is shown in the notification -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Patch for raring ** Patch added: "raring.diff" https://bugs.launchpad.net/kdelibs/+bug/1178286/+attachment/3671277/+files/raring.diff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Patch for Quantal ** Patch added: "quantal.diff" https://bugs.launchpad.net/kdelibs/+bug/1178286/+attachment/3671276/+files/quantal.diff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Patch for precise ** Patch added: "precise.diff" https://bugs.launchpad.net/kdelibs/+bug/1178286/+attachment/3671275/+files/precise.diff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Patch for oneiric ** Patch added: "oneiric.diff" https://bugs.launchpad.net/kdelibs/+bug/1178286/+attachment/3671274/+files/oneiric.diff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kde4libs in Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
** Patch removed: "precise.diff" https://bugs.launchpad.net/kdelibs/+bug/1178286/+attachment/3671166/+files/precise.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Patch for Oneiric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Diff for precise ** Patch added: "precise.diff" https://bugs.launchpad.net/kdelibs/+bug/1178286/+attachment/3671166/+files/precise.diff ** Patch removed: "oneiric.diff" https://bugs.launchpad.net/kdelibs/+bug/1178286/+attachment/3671152/+files/oneiric.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Patch for oneiric ** Patch added: "oneiric.diff" https://bugs.launchpad.net/kdelibs/+bug/1178286/+attachment/3671152/+files/oneiric.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1178286] Re: Security advisory from KDE upstream
Launchpad has imported 9 comments from the remote bug at https://bugs.kde.org/show_bug.cgi?id=319428. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2013-05-06T20:06:29+00:00 M-wege wrote: I just received a notification from the ressource which read "internal server error" and the url https://username:passw...@serveradress.com/remote.php.carddav... I believe it is not a good idea to have a password in a notication. Reproducible: Always Reply at: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/0 On 2013-05-07T14:02:45+00:00 Winter-s wrote: somewhere a message is using url() rather than prettyUrl(). but so far I haven't had any luck finding where in the code. maybe another set of eyes will have more luck. should be an easy fix once we find the offending text. Reply at: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/1 On 2013-05-07T17:10:42+00:00 Montel-3 wrote: We need a screenshot or exact error message to find it. Reply at: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/2 On 2013-05-07T21:19:16+00:00 M-wege wrote: Is there a way to provoke a connection error? It doesn't work when just disconnecting the internet. The cause must have been on the server side, so I will only see the message again, when I can fake a server error or it happens again. Reply at: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/3 On 2013-05-08T20:01:57+00:00 Greg-xrvasas wrote: I think this was introduced by 649a97d08771020a4e5151bbc041e82405f5841c, at least that the only commit I can thin of that touched the error messages. If true, there are some chances that the issue comes from KIO. Reply at: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/4 On 2013-05-08T20:14:48+00:00 Greg-xrvasas wrote: Looks like the source is in kdelibs/kioslave/http/http.cpp:3059, where url() is used instead of prettyUrl() as the error message. Do you think this can go into kdelibs for 4.10.4? Reply at: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/5 On 2013-05-08T20:57:40+00:00 Winter-s wrote: yes please. looks like changing that line to use m_request.url.host() might be the correct solution. In fact, once this is fixed I'll send a note to the packages that they might want to hotpatch their 4.10.3 releases. Reply at: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/6 On 2013-05-08T21:13:39+00:00 Greg-xrvasas wrote: (In reply to comment #6) > looks like changing that line to use m_request.url.host() might be the > correct solution. Having the full URL that triggered this error would help finding the issue, so I'm not certain that just keeping the hostname would be satisfying to most users. As for the usage of this string there's a new line between 'Internal error in server' and the error text, which makes mes doubt that %1 stands for the hostname in the full message. Otherwise, looking around this line the m_request.url.url() is also used in the same way (lines 3075 and 3077). I'll also replace those with prettyUrl(). Reply at: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/7 On 2013-05-08T21:38:57+00:00 Greg-xrvasas wrote: Git commit 65d736dab592bced4410ccfa4699de89f78c96ca by Grégory Oestreicher. Committed on 08/05/2013 at 23:16. Pushed by goestreicher into branch 'KDE/4.10'. Don't show passwords contained in HTTP URLs in error messages M +3-3kioslave/http/http.cpp http://commits.kde.org/kdelibs/65d736dab592bced4410ccfa4699de89f78c96ca Reply at: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/8 ** Changed in: kdelibs Status: Unknown => Fix Released ** Changed in: kdelibs Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists
[Bug 1178286] Re: Security advisory from KDE upstream
** Tags added: kubuntu -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1178286 Title: Security advisory from KDE upstream To manage notifications about this bug go to: https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs