linux, säkerhet

6169480 2001-03-03 15:27 -0500  /73 rader/ Bill Soudan <wes0472@RIT.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-05  00:05  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: wes0472@RIT.EDU
Mottagare: Bugtraq (import) <15731>
Kommentar till text 6095854 av Marc Roessler <marc@TENTACLE.FRANKEN.DE>
Ärende: Re: Security hole in kicq
------------------------------------------------------------
From: Bill Soudan <wes0472@RIT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0103031522030.1058-100000@quigley.soudan.net>

On Wed, 14 Feb 2001, Marc Roessler wrote:

> there is some security related problem with kicq.
> The authors were contacted and provided with a suggestion for a patch
> which should be available soon.
> I did not find anything on the archive on this, so here we go.
>
> kicq is a free icq client clone available at http://kicq.sourceforge.net/.
> Unfortunately received (untrusted!) URLs are passed to the specified webbrowser
> (standard is kfmclient) without any sanity checking using system().
> The only user action needed for this is to click "Open" in a popup menu.
>
> I tried with version 1.0.0, it is vulnerable for sure.
> Other versions (such as 2.0.0b1) seem to be vulerable as well,
> though i did not compile them to try.
>
> Details:
>
> The problem is in file kicq/utils/kwebbrowser.cpp. For example:
>
> 	system(QString("kfmclient openURL '" + URL + "' &").latin1());
>
> Other browsers (netscape, lynx, wget) are called similar, this needs to
> need to be patched as well.

This has been corrected in the current CVS, which will be the base
for the next release of KICQ.  I've attached the relevant ChangeLog
message.

Special thanks go to Bernhard Rosenbraenzer (bero@redhat.de) for
going out of his way to correct the problem for us!

Thanks,
Bill

---

2000-03-03  Bill Soudan  <soudan@kde.org>

        Sync with version in kdenonbeta - merge commits by non-kicq
        developers from initial checkin until today.

        * Makefile.am: merge from kdenonbeta: coolo -
        let's give kicq a real messages file

        * kicq/contactlist/contactlist.cpp: merge from kdenonbeta:
        faure - 0 is NOT a valid QString

        * kicq/main/mainwindow.cpp: merge from kdenonbeta: faure -
        don't crash on startup

        * kicq/utils/kwebbrowser.cpp, kicq/utils/kwebbrowser.h:
        merge from kdenonbeta: bero - Fix potential security problem
        (people could execute commands by sending malformed URLs)

        * kicq/utils/kwebbrowser.cpp: merge from kdenonbeta: bero -
        Fix my recent fix

        * kicq/utils/kwebbrowser.cpp: merge from kdenonbeta: bero -
        Fix wget invocation. Don't ever invoke a browser through a shell,
        not even with 'URL' think of the URL ';rm -rf ~/*

        * kicq/messageurl/msgwindow.cpp: quote all messages now,
        not just latin1 messages (partial merge from dys -
        non-latin1 fixes by Stephan Kalichkin...)

        * kicq/icqlib/kicqlibmanager.cpp: icq_SetTimeout(0) now
        stops timer
(6169480) --------------------------------(Ombruten)