From bastian@kde.org Sat Jan 22 16:45:02 2005 From: Waldo Bastian To: bugtraq@securityfocus.com Date: Fri, 21 Jan 2005 16:31:20 +0100 Subject: KDE Security Advisory: Multiple vulnerabilities in Konversation KDE Security Advisory: Multiple vulnerabilities in Konversation Original Release Date: 20050121 URL: http://www.kde.org/info/security/advisory-20050121-1.txt 0. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0131 http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html 1. Systems affected: All Konversation versions up to and including 0.15 2. Overview: Multiple vulnerabilities have been discovered in Konversation, an IRC client for KDE. A flaw in the expansion of %-escaped variables makes that %-escaped variables in certain input strings will be inadvertently expanded too. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0129 to this issue. Several perl scripts included with Konversation fail to properly handle command line arguments causing a command line injection vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0130 to this issue. Nick and password are confused in the quick connection dialog, so connecting with that dialog and filling in a password, would use that password as nick, and may inadvertently expose the password to others. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0131 to this issue. 3. Impact: A user might be tricked to join a channel with a specially crafted channel name containing shell commands. If user runs a script in that channel it will result in an arbitrary command execution. If quick connect is used with a password, the password is used as nickname instead. As a result the password may be exposed to others. 4. Solution: Upgrade to Konversation 0.15.1 available from http://download.berlios.de/konversation/konversation-0.15.1.tar.bz2 5. Patch: A patch for Konversation 0.15 is available from ftp://ftp.kde.org/pub/kde/security_patches 36f8b6beac18a9d173339388d13e2335 post-0.15-konversation.diff 6. Time line and credits: 18/01/2005 Konversation developers informed by Wouter Coekaerts 19/01/2005 Patches applied to KDE CVS. 19/01/2005 Konversation 0.15.1 released. 21/01/2005 KDE Security Advisory released. [ Part 2, Application/PGP-SIGNATURE 196bytes. ] [ Unable to print this part. ]