Debian Bug report logs - #503401
try to start command via irc:// handler

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jan Wagner <waja@cyconet.org>

To: submit@bugs.debian.org

Cc: security@debian.org

Subject: try to start command via irc:// handler

Date: Sat, 25 Oct 2008 19:00:28 +0200

[Message part 1 (text/plain, inline)]

Package: kvirc
Version: 3.4.0
Severity: serious
Tags: security

--- Please enter the report below this line. ---

There is an exploit outside which trys to start commands via irc handler. 
Dunno if there older versions which are also vuln. Maybe you will also adjust 
the severity.

http://www.milw0rm.com/exploits/6832

With kind regards, Jan.
-- 
Never write mail to <waja@spamfalle.info>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
------END GEEK CODE BLOCK------

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 503401@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: Jan Wagner <waja@cyconet.org>, 503401-submitter@bugs.debian.org

Cc: 503401@bugs.debian.org

Subject: Re: [Pkg-kde-extras] Bug#503401: try to start command via irc:// handler

Date: Sun, 26 Oct 2008 09:27:25 +1100

On Sunday 26 October 2008 04:00:28 Jan Wagner wrote:
> There is an exploit outside which trys to start commands via irc handler.
> Dunno if there older versions which are also vuln. Maybe you will also
> adjust the severity.

Jan,

Are you referring to this old report, or is this a new exploit?

https://bugs.launchpad.net/ubuntu/+source/kvirc/+bug/123037

Mark

Message #18 received at 503401@bugs.debian.org (full text, mbox, reply):

From: Raúl Sánchez Siles <rasasi78@gmail.com>

To: 503401@bugs.debian.org

Subject: More info about the exploit. Current status.

Date: Sun, 26 Oct 2008 01:08:48 +0200

[Message part 1 (text/plain, inline)]

  Hello All:

  Jan, thanks a lot for this bug report. Indeed the problem is present in 
3.4.0 but not in 3.4.2. Unfortunately, 3.4.2 was not released in time to 
include it into Lenny.

  A fix was applied meanwhile: https://svn.kvirc.de/kvirc/changeset/1997 
fixing a bug, https://svn.kvirc.de/kvirc/ticket/97 which apparently was a 
different problem and wasn't tagged as too serious.

  Anyway, this bug just applies in the case that kvirc would be the default 
irc handler. So far, I think this is not the case in Debian, possible due to 
another bug. I'm still researching how this bug affects to Debian and it's 
severity. Up to now I haven't seen anything strange, but I guess I'm not 
triggering the bug yet.

  Having said this, I'm working in a patch for the bug, which I hope could be 
uploaded soon.

  Thanks.
-- 
     Raúl Sánchez Siles
----->Proud Debian user<-----
Linux registered user #416098

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 503401-quiet@bugs.debian.org (full text, mbox, reply):

From: Jan Wagner <waja@cyconet.org>

To: Mark Purcell <msp@debian.org>, 503401-quiet@bugs.debian.org

Subject: Re: Bug#503401: [Pkg-kde-extras] Bug#503401: try to start command via irc:// handler

Date: Sun, 26 Oct 2008 19:28:29 +0200

[Message part 1 (text/plain, inline)]

Hi Mark,

On Sunday 26 October 2008 00:27, Mark Purcell wrote:
> Are you referring to this old report, or is this a new exploit?
>
> https://bugs.launchpad.net/ubuntu/+source/kvirc/+bug/123037

Maybe ... I didn't have a deeper look into the issue, I just saw popping up 
the issue on the kvirc mailing list[1], which I'm subscribed cause running 
some infrastructure of the kvirc project. I'm not using kvirc for myself 
(since many years).
While following the thread, I think it maybe an old issue, even if the exploit 
states it's valid for 3.4.0.

With kind regards, Jan.
http://lists.omnikron.net/pipermail/kvirc/2008-October/000615.html
-- 
Never write mail to <waja@spamfalle.info>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
------END GEEK CODE BLOCK------

[Message part 2 (application/pgp-signature, inline)]

Message #28 received at 503401@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: Jan Wagner <waja@cyconet.org>

Cc: 503401@bugs.debian.org, 503401-submitter@bugs.debian.org

Subject: Re: Bug#503401: [Pkg-kde-extras] Bug#503401: try to start command via irc:// handler

Date: Mon, 27 Oct 2008 07:53:44 +1100

On Monday 27 October 2008 04:28:29 Jan Wagner wrote:
> While following the thread, I think it maybe an old issue, even if the
> exploit states it's valid for 3.4.0.

Jan,

Raúl Sánchez Siles <rasasi78@gmail.com> sent an update to your report stating 
that whilst it didn't effect upstream 3.4.2, that was released after lenny 
froze and we are releasing lenny with 3.4.0, which is effected.

Raúl is working up a patch for upload.

Thanks for the report,
Mark

Message #40 received at 503401@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: Raúl Sánchez Siles <rasasi78@gmail.com>

Cc: 503401@bugs.debian.org

Subject: Re: Version 3.4.0 doesn't exist.

Date: Mon, 27 Oct 2008 08:34:53 +1100

On Monday 27 October 2008 08:18:38 Raúl Sánchez Siles wrote:
> Current sid version is 3.4.0-2 and 3.4.0-3 with the fix is coming shortly,
> just in case.
>
>   Would you mind to elaborate your experience a bit

I was just cleaning up the BTS versions as kvirc has an epoc.

The original report was for version 3.4.0, however it should of read 2:3.4.0-1 
which are different versions.

My bts changes were just clearing that up..

Mark

Message #45 received at 503401@bugs.debian.org (full text, mbox, reply):

From: Raúl Sánchez Siles <rasasi78@gmail.com>

To: 503401@bugs.debian.org, Mark Purcell <msp@debian.org>

Subject: Version 3.4.0 doesn't exist.

Date: Sun, 26 Oct 2008 22:18:38 +0100

[Message part 1 (text/plain, inline)]

  Hello Mark:

  Thanks for your help with this bug. I see you've marked this bug found in 
version 3.4.0-1 (current testing version) but not found in 3.4.0 which is a 
version that I can't see in Debian.

  Current sid version is 3.4.0-2 and 3.4.0-3 with the fix is coming shortly, 
just in case.

  Would you mind to elaborate your experience a bit?

  Thanks a lot. Regards,

-- 
     Raúl Sánchez Siles
----->Proud Debian user<-----
Linux registered user #416098

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 503401-close@bugs.debian.org (full text, mbox, reply):

From: Raúl Sánchez Siles <rasasi78@gmail.com>

To: 503401-close@bugs.debian.org

Subject: Bug#503401: fixed in kvirc 2:3.4.0-3

Date: Sun, 26 Oct 2008 23:17:18 +0000

Source: kvirc
Source-Version: 2:3.4.0-3

We believe that the bug you reported is fixed in the latest version of
kvirc, which is due to be installed in the Debian FTP archive:

kvirc-data_3.4.0-3_all.deb
  to pool/main/k/kvirc/kvirc-data_3.4.0-3_all.deb
kvirc-dev_3.4.0-3_amd64.deb
  to pool/main/k/kvirc/kvirc-dev_3.4.0-3_amd64.deb
kvirc_3.4.0-3.diff.gz
  to pool/main/k/kvirc/kvirc_3.4.0-3.diff.gz
kvirc_3.4.0-3.dsc
  to pool/main/k/kvirc/kvirc_3.4.0-3.dsc
kvirc_3.4.0-3_amd64.deb
  to pool/main/k/kvirc/kvirc_3.4.0-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 503401@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raúl Sánchez Siles <rasasi78@gmail.com> (supplier of updated kvirc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 26 Oct 2008 21:14:02 +0100
Source: kvirc
Binary: kvirc kvirc-data kvirc-dev
Architecture: source all amd64
Version: 2:3.4.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Changed-By: Raúl Sánchez Siles <rasasi78@gmail.com>
Description: 
 kvirc      - KDE based next generation IRC client with module support
 kvirc-data - Data files for KVIrc
 kvirc-dev  - Development files for KVIrc
Closes: 503401
Changes: 
 kvirc (2:3.4.0-3) unstable; urgency=medium
 .
   * try to start command via irc:// handler (Closes: #503401).
     Added 31_r1997-irchandler-exploit-bug503401.patch
   * Urgency medium due to potential security bug fix.
Checksums-Sha1: 
 7e0dafde7558e06191f7097c08f5bf32b7f69bd0 1340 kvirc_3.4.0-3.dsc
 5de8eb0d46ed3d6092b8f8818cb4aac774f63357 53291 kvirc_3.4.0-3.diff.gz
 321aea442b683557fbaa43d92268f332f600e673 3704238 kvirc-data_3.4.0-3_all.deb
 c7412d539429f390da2ed2e00539507d43e65377 3711692 kvirc_3.4.0-3_amd64.deb
 e6b722e68befaaa2fc801d886580bde0c873b4dc 381856 kvirc-dev_3.4.0-3_amd64.deb
Checksums-Sha256: 
 fb14b5851d262850764e32c96b33bd27ff71476e420e8717a67a6b38537d7e04 1340 kvirc_3.4.0-3.dsc
 fe792aaa09d92dc85c51d1d15ab306f5b1fe70cfad4013bf2732366f0f52a71a 53291 kvirc_3.4.0-3.diff.gz
 ef892f37fe6ed6754b652089166ef476af0723c5289f6a07ea6abc12ad5eb3f1 3704238 kvirc-data_3.4.0-3_all.deb
 abb50441837b423048b30c826660521ffb8128cc005562c811b8dcbad2191489 3711692 kvirc_3.4.0-3_amd64.deb
 59e6d5baecb2cf0400a76fe68429bc0611d74276114b2354f83b7a8ee3d8abca 381856 kvirc-dev_3.4.0-3_amd64.deb
Files: 
 59e401ddac4343dcc5aa81c8ab10ff70 1340 net optional kvirc_3.4.0-3.dsc
 54565e0b050b62ae143104fadc53a9e9 53291 net optional kvirc_3.4.0-3.diff.gz
 75aeb74caf5db26afeb2fb9ec856626e 3704238 net optional kvirc-data_3.4.0-3_all.deb
 a9f9a2b9a807eb081b810dfcada58e08 3711692 net optional kvirc_3.4.0-3_amd64.deb
 a64969bdbbd9bd7761ed37df8a7cfe99 381856 devel optional kvirc-dev_3.4.0-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Signed by Ana Guerrero

iEYEARECAAYFAkkE/AIACgkQn3j4POjENGGKRQCfVwrob+nx3MoinjTrgOcun2DG
JqMAnRLM3bDcklI5q3OKQOMRSAX79KFI
=d9Bh
-----END PGP SIGNATURE-----

Message #55 received at 503401@bugs.debian.org (full text, mbox, reply):

From: Mark Purcell <msp@debian.org>

To: debian-release@lists.debian.org

Cc: Raúl Sánchez Siles <rasasi78@gmail.com>, 503401@bugs.debian.org

Subject: give back request kvirc (was: Bug#503401: fixed in kvirc 2:3.4.0-3)

Date: Thu, 30 Oct 2008 08:18:04 +1100

On Monday 27 October 2008 10:17:18 Raúl Sánchez Siles wrote:
>  kvirc (2:3.4.0-3) unstable; urgency=medium
>  .
>    * try to start command via irc:// handler (Closes: #503401).
>      Added 31_r1997-irchandler-exploit-bug503401.patch
>    * Urgency medium due to potential security bug fix.

debian-release,

Unfortunately the kvirc upload was caught by the upload of kdelibs 3.5.10 to sid:
[ kdelibs4-dev: Depends: kdelibs4c2a (= 4:3.5.9.dfsg.1-6+b1) but it is not going to be installed ]

kdelibs 3.5.10 & 3.5.9 have the same shlibs [kdelibs4c2a (>= 4:3.5.9)] so a subsequent sid build should migrate to lenny.

Request a give back of kvirc against failed archs:

kvirc_2:3.4.0-3_i386
kvirc_2:3.4.0-3_alpha
kvirc_2:3.4.0-3_arm
kvirc_2:3.4.0-3_hppa
kvirc_2:3.4.0-3_ia64
kvirc_2:3.4.0-3_mips
kvirc_2:3.4.0-3_mipsel
kvirc_2:3.4.0-3_powerpc
kvirc_2:3.4.0-3_s390
kvirc_2:3.4.0-3_sparc

Thanks,
Mark

Message #60 received at 503401@bugs.debian.org (full text, mbox, reply):

From: Adeodato Simó <dato@net.com.org.es>

To: Mark Purcell <msp@debian.org>

Cc: debian-release@lists.debian.org, Raúl Sánchez Siles <rasasi78@gmail.com>, 503401@bugs.debian.org

Subject: Re: give back request kvirc (was: Bug#503401: fixed in kvirc 2:3.4.0-3)

Date: Fri, 31 Oct 2008 08:02:47 +0100

* Mark Purcell [Thu, 30 Oct 2008 08:18:04 +1100]:

> On Monday 27 October 2008 10:17:18 Raúl Sánchez Siles wrote:
> >  kvirc (2:3.4.0-3) unstable; urgency=medium
> >  .
> >    * try to start command via irc:// handler (Closes: #503401).
> >      Added 31_r1997-irchandler-exploit-bug503401.patch
> >    * Urgency medium due to potential security bug fix.

> debian-release,

> Unfortunately the kvirc upload was caught by the upload of kdelibs 3.5.10 to sid:
> [ kdelibs4-dev: Depends: kdelibs4c2a (= 4:3.5.9.dfsg.1-6+b1) but it is not going to be installed ]

> kdelibs 3.5.10 & 3.5.9 have the same shlibs [kdelibs4c2a (>= 4:3.5.9)] so a subsequent sid build should migrate to lenny.

> Request a give back of kvirc against failed archs:

> kvirc_2:3.4.0-3_i386
> kvirc_2:3.4.0-3_alpha
> kvirc_2:3.4.0-3_arm
> kvirc_2:3.4.0-3_hppa
> kvirc_2:3.4.0-3_ia64
> kvirc_2:3.4.0-3_mips
> kvirc_2:3.4.0-3_mipsel
> kvirc_2:3.4.0-3_powerpc
> kvirc_2:3.4.0-3_s390
> kvirc_2:3.4.0-3_sparc

Done.

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
«Ara que ets la meva dona, te la fotré fins a la melsa, bacona!»
                -- Terenci Moix, “Chulas y famosas”

Send a report that this bug log contains spam.