Debian Bug report logs - #546212
CVE-2009-2702: KDE KSSL NULL Character Certificate Spoofing Vulnerability

version graph

Package: kdelibs; Maintainer for kdelibs is Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>;

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Fri, 11 Sep 2009 17:42:02 UTC

Severity: serious

Tags: security

Fixed in versions kdelibs/4:3.5.10.dfsg.1-2.1, kdelibs/4:3.5.5a.dfsg.1-8etch3

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#546212; Package kdelibs,kde4libs. (Fri, 11 Sep 2009 17:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Fri, 11 Sep 2009 17:42:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-2702: KDE KSSL NULL Character Certificate Spoofing Vulnerability
Date: Fri, 11 Sep 2009 19:20:22 +0200
Package: kdelibs,kde4libs
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kdelibs and kde4libs.

CVE-2009-2702[0]:
| KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
| '\0' character in a domain name in the Subject Alternative Name field
| of an X.509 certificate, which allows man-in-the-middle attackers to
| spoof arbitrary SSL servers via a crafted certificate issued by a
| legitimate Certification Authority, a related issue to CVE-2009-2408.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2702
    http://security-tracker.debian.net/tracker/CVE-2009-2702

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqqhtMACgkQNxpp46476ao+jQCgjGZaW64GZRrVZpcGFAxW4+Ap
FpMAn2EWIhIe+Qgd0RBvO3abWnsLtRF2
=LoWY
-----END PGP SIGNATURE-----




Bug reassigned from package 'kdelibs,kde4libs' to 'kdelibs'. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Fri, 11 Sep 2009 18:12:06 GMT) Full text and rfc822 format available.

Bug 546212 cloned as bug 546218. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Fri, 11 Sep 2009 18:12:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#546212; Package kdelibs. (Wed, 14 Oct 2009 09:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Wed, 14 Oct 2009 09:33:05 GMT) Full text and rfc822 format available.

Message #14 received at 546212@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 534952@bugs.debian.org, 546212@bugs.debian.org
Subject: NMU
Date: Wed, 14 Oct 2009 11:31:56 +0200
[Message part 1 (text/plain, inline)]
Hi,

Attached is a debdiff of the changes I made for 4:3.5.10.dfsg.1-2.1 0-day NMU.

Cheers,
Giuseppe
[kdelibs_3.5.10.dfsg.1-2.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Wed, 14 Oct 2009 11:21:26 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Wed, 14 Oct 2009 11:21:26 GMT) Full text and rfc822 format available.

Message #19 received at 546212-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 546212-close@bugs.debian.org
Subject: Bug#546212: fixed in kdelibs 4:3.5.10.dfsg.1-2.1
Date: Wed, 14 Oct 2009 10:20:35 +0000
Source: kdelibs
Source-Version: 4:3.5.10.dfsg.1-2.1

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb
  to pool/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb
kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
  to pool/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
kdelibs_3.5.10.dfsg.1-2.1.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-2.1.diff.gz
kdelibs_3.5.10.dfsg.1-2.1.dsc
  to pool/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-2.1.dsc
kdelibs_3.5.10.dfsg.1-2.1_all.deb
  to pool/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-2.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 14 Oct 2009 09:57:26 +0200
Source: kdelibs
Binary: kdelibs kdelibs-data kdelibs4c2a kdelibs4-dev kdelibs4-doc kdelibs-dbg
Architecture: source all i386
Version: 4:3.5.10.dfsg.1-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 kdelibs    - core libraries from the official KDE release
 kdelibs-data - core shared data for all KDE applications
 kdelibs-dbg - debugging symbols for kdelibs
 kdelibs4-dev - development files for the KDE core libraries
 kdelibs4-doc - developer documentation for the KDE core libraries
 kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 534949 534949 546212
Changes: 
 kdelibs (4:3.5.10.dfsg.1-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing Security Team.
   * Fixed CVE-2009-1687: An integer overflow, leading to heap-based buffer
     overflow was found in the KDE implementation of garbage collector for the
     JavaScript language (KJS).
   * Fixed CVE-2009-1690: KDE HTML parser incorrectly handled content, forming
     the HTML page <head> element. A remote attacker could use this flaw to
     cause a denial of service (konqueror crash) or, potentially, execute
     arbitrary code, with the privileges of the user running "konqueror" web
     browser, if the victim was tricked to open a specially-crafted HTML page.
     (Closes: #534949)
   * Fixed CVE-2009-1698: KDE's Cascading Style Sheets (CSS) parser incorrectly
     handled content, forming the value of CSS "style" attribute. A remote
     attacker could use this flaw to cause a denial of service (konqueror crash)
     or potentially execute arbitrary code with the privileges of the user
     running "konqueror" web browser, if the victim visited a specially-crafted
     CSS equipped HTML page. (Closes: #534949)
   * Fixed CVE-2009-2702: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not
     properly handle a '\0' character in a domain name in the Subject
     Alternative Name field of an X.509 certificate, which allows
     man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
     certificate issued by a legitimate Certification Authority (Closes: #546212)
Checksums-Sha1: 
 504fd9e9dd1ffbbda2b654ad681ba3388ee6c14e 2230 kdelibs_3.5.10.dfsg.1-2.1.dsc
 d12ff23264c4d4c78835e3389fd8cbdf662dcccc 657806 kdelibs_3.5.10.dfsg.1-2.1.diff.gz
 2bf9237e425be86e35661d494abf236808c2d41a 30134 kdelibs_3.5.10.dfsg.1-2.1_all.deb
 3bf227f539914b357886aa7345ede1df3d751731 8718404 kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
 0981d0e43afee520bf2f9fe73298ba646a5178d0 26876690 kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
 72da39a38c3f0c7d8389ab067d67c50fff71fa47 10306148 kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
 0fb0f0067556a75f01da4c57113fe541a10153cf 1441552 kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
 2641630f70d67eba1b2bfff4f231ffbd69d9d523 26850578 kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb
Checksums-Sha256: 
 c9be2e68f7734afd36ad36dfd4e3922d621c9704f76ba6f7e74041a7344db979 2230 kdelibs_3.5.10.dfsg.1-2.1.dsc
 f03c839ee8890787961411ec4ec8c31a7948946991c398f1532371c2ded52e15 657806 kdelibs_3.5.10.dfsg.1-2.1.diff.gz
 7e54dae986afa8f82328d51912ddc4cbab3a3a70a8f7e9df9642c20994f399ab 30134 kdelibs_3.5.10.dfsg.1-2.1_all.deb
 43f5de0902b43e8b5de42618c8a6dc0cf66a72fce0f631e176f33e281347f6f2 8718404 kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
 038fabef9b00af6b8807d1fb0ffdcb008a8b79ba9125757f9ba96570e6548f4f 26876690 kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
 e56fa11511f123272c152c9d52bee746713a845aff9ae221ec350a99f105abef 10306148 kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
 0945488b45e9ee8733dcf81a31189515aac0fed0a27b15c882657c2bf8d7531d 1441552 kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
 75b95353dd45a0e66b40333a0b19d26f4e3838602b782e4e499f2afb84030a30 26850578 kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb
Files: 
 8f021af421cb2d1badfbf3fa43d1a38e 2230 libs optional kdelibs_3.5.10.dfsg.1-2.1.dsc
 aa060ab549a04763ee2dec80282a3bb1 657806 libs optional kdelibs_3.5.10.dfsg.1-2.1.diff.gz
 9ad9183442a86eae391cdae28d43e15a 30134 libs optional kdelibs_3.5.10.dfsg.1-2.1_all.deb
 3a24f98d46d4f750e37ee00869f0605f 8718404 libs optional kdelibs-data_3.5.10.dfsg.1-2.1_all.deb
 3f22d5422b42a0a87e1ed85135fae9d8 26876690 doc optional kdelibs4-doc_3.5.10.dfsg.1-2.1_all.deb
 debfeb004c10df7412ca24e055186105 10306148 libs optional kdelibs4c2a_3.5.10.dfsg.1-2.1_i386.deb
 4564cd5e347739081afa335d52fa4c5c 1441552 libdevel optional kdelibs4-dev_3.5.10.dfsg.1-2.1_i386.deb
 60b143ce4e602840fc1bf96bb9fe274f 26850578 libdevel extra kdelibs-dbg_3.5.10.dfsg.1-2.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrVmYgACgkQNxpp46476aqOHwCdEzbBD4cG/QjWu4DWK0UuHzwM
c44An06wYnDYXL4LsQfZe1G1GryYwV/z
=I17X
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sat, 24 Oct 2009 20:12:04 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sat, 24 Oct 2009 20:12:04 GMT) Full text and rfc822 format available.

Message #24 received at 546212-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 546212-close@bugs.debian.org
Subject: Bug#546212: fixed in kdelibs 4:3.5.5a.dfsg.1-8etch3
Date: Sat, 24 Oct 2009 19:58:35 +0000
Source: kdelibs
Source-Version: 4:3.5.5a.dfsg.1-8etch3

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
kdelibs-dbg_3.5.5a.dfsg.1-8etch3_i386.deb
  to pool/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch3_i386.deb
kdelibs4-dev_3.5.5a.dfsg.1-8etch3_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch3_i386.deb
kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
kdelibs4c2a_3.5.5a.dfsg.1-8etch3_i386.deb
  to pool/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch3_i386.deb
kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
kdelibs_3.5.5a.dfsg.1-8etch3.dsc
  to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3.dsc
kdelibs_3.5.5a.dfsg.1-8etch3_all.deb
  to pool/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 16 Oct 2009 08:57:21 +0200
Source: kdelibs
Binary: kdelibs4c2a kdelibs kdelibs4-doc kdelibs-dbg kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.5.5a.dfsg.1-8etch3
Distribution: oldstable-security
Urgency: high
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 kdelibs    - core libraries from the official KDE release
 kdelibs-data - core shared data for all KDE applications
 kdelibs-dbg - debugging symbols for kdelibs
 kdelibs4-dev - development files for the KDE core libraries
 kdelibs4-doc - developer documentation for the KDE core libraries
 kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 546212
Changes: 
 kdelibs (4:3.5.5a.dfsg.1-8etch3) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2009-2702: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not
     properly handle a '\0' character in a domain name in the Subject
     Alternative Name field of an X.509 certificate, which allows
     man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
     certificate issued by a legitimate Certification Authority (Closes: #546212)
Files: 
 430e1a184def8c61269ebd4236ecf902 1636 libs optional kdelibs_3.5.5a.dfsg.1-8etch3.dsc
 616c29ec7f685e9b10c802eb6879d912 601207 libs optional kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
 f4697ef70a2bc020b1c633c92981e81f 34648 libs optional kdelibs_3.5.5a.dfsg.1-8etch3_all.deb
 a1326c3e10f4a1696b9d73115b417061 8607892 libs optional kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
 83be81e20b84b786c47a3351a3600c77 40162414 doc optional kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
 3bd6b5136465fbc6eb18f1112cbd3b58 9738260 libs optional kdelibs4c2a_3.5.5a.dfsg.1-8etch3_i386.deb
 7ecda9b7973b7122035828d49c26864a 1380274 libdevel optional kdelibs4-dev_3.5.5a.dfsg.1-8etch3_i386.deb
 63b27cabf41954b3b7d1f3a247d16573 26272380 libdevel extra kdelibs-dbg_3.5.5a.dfsg.1-8etch3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrYR44ACgkQNxpp46476aodxwCdEP49HQ+d6vdkWe4g0IutBTh7
sIsAn22CMGXCFaaYA6K4aei6Zh2lMPMU
=irNr
-----END PGP SIGNATURE-----





Bug 546212 cloned as bug 553209. Request was from Helge Kreutzmann <debian@helgefjell.de> to control@bugs.debian.org. (Thu, 29 Oct 2009 18:36:05 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 27 Nov 2009 07:27:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:18:03 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.