Debian Bug report logs - #856321
ktnef security issue: Directory Traversal

version graph

Package: ktnef; Maintainer for ktnef is Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>; Source for ktnef is src:kmail (PTS, buildd, popcon).

Reported by: Martin Steigerwald <Martin@Lichtvoll.de>

Date: Mon, 27 Feb 2017 18:51:02 UTC

Severity: important

Tags: patch

Found in version kdepim/4:16.04.3-3

Fixed in version ktnef/4:17.08.3-1

Done: Sandro Knauß <hefee@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#856321; Package ktnef. (Mon, 27 Feb 2017 18:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Martin Steigerwald <Martin@Lichtvoll.de>:
New Bug report received and forwarded. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Mon, 27 Feb 2017 18:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Steigerwald <Martin@Lichtvoll.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ktnef security issue: Directory Traversal
Date: Mon, 27 Feb 2017 19:48:06 +0100
Package: ktnef
Version: 4:16.04.3-3
Severity: important
Tags: patch

Dear Maintainer,

from the KDE project security advisory:

> A directory traversal issue was found in ktnef which can
> be exploited by tricking a user into opening a malicious winmail.dat file.
> The issue allows to write files with the permission of the user opening
> the winmail.dat file during extraction.

I forward the KDE project security advisory to the bug as soon as I got
back bug number.

Patch is at:

https://commits.kde.org/ktnef/4ff38aa15487d69021aacad4b078500f77fb4ae8

Thank you,
Martin

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.16-tp520+ (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages ktnef depends on:
ii  kio                   5.28.0-1
ii  libc6                 2.24-9
ii  libkf5configcore5     5.28.0-1
ii  libkf5configwidgets5  5.28.0-1
ii  libkf5coreaddons5     5.28.0-1
ii  libkf5dbusaddons5     5.28.0-1
ii  libkf5i18n5           5.28.0-1
ii  libkf5kiowidgets5     5.28.0-1
ii  libkf5service-bin     5.28.0-1
ii  libkf5service5        5.28.0-1
ii  libkf5tnef5           16.04.2-1
ii  libkf5widgetsaddons5  5.28.0-1
ii  libkf5xmlgui5         5.28.0-1
ii  libqt5core5a          5.7.1+dfsg-3+b1
ii  libqt5gui5            5.7.1+dfsg-3+b1
ii  libqt5widgets5        5.7.1+dfsg-3+b1
ii  libstdc++6            7-20170221-1

ktnef recommends no packages.

ktnef suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#856321; Package ktnef. (Mon, 27 Feb 2017 18:54:05 GMT) (full text, mbox, link).

Acknowledgement sent to Martin Steigerwald <martin@lichtvoll.de>:
Extra info received and forwarded to list. Copy sent to Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Mon, 27 Feb 2017 18:54:05 GMT) (full text, mbox, link).

Message #10 received at 856321@bugs.debian.org (full text, mbox, reply):

From: Martin Steigerwald <martin@lichtvoll.de>
To: 856321@bugs.debian.org
Subject: Fwd: KDE Project Security Advisory: ktnef: Directory Traversal
Date: Mon, 27 Feb 2017 19:52:31 +0100
[Message part 1 (text/plain, inline)]
Attached is original security advisory. I choose attachment in order to 
preserve the mail headers.

Thanks,
-- 
Martin
[Weitergeleitete Nachricht (message/rfc822, inline)]
From: Albert Astals Cid <aacid@kde.org>
To: kde-announce@kde.org
Subject: KDE Project Security Advisory: ktnef: Directory Traversal
Date: Mon, 27 Feb 2017 19:13:47 +0100
KDE Project Security Advisory
=============================

Title:          ktnef: Directory Traversal
Risk Rating:    Medium
CVE:            TBC
Versions:       ktnef <= 5.4.2 (KDE Applications 16.12.2)
Date:           27 February 2017


Overview
========
A directory traversal issue was found in ktnef which can
be exploited by tricking a user into opening a malicious winmail.dat file.
The issue allows to write files with the permission of the user opening
the winmail.dat file during extraction.


Solution
========
Update to ktnef >= 5.4.3 (KDE Applications 16.12.3) (when released)

Or apply the following patch:
https://commits.kde.org/ktnef/4ff38aa15487d69021aacad4b078500f77fb4ae8

Credits
=======
Thanks to X41 D-Sec GmbH for finding the issue and providing us with
files to reproduce it

Reply sent to Sandro Knauß <hefee@debian.org>:
You have taken responsibility. (Thu, 21 Dec 2017 17:45:03 GMT) (full text, mbox, link).

Notification sent to Martin Steigerwald <Martin@Lichtvoll.de>:
Bug acknowledged by developer. (Thu, 21 Dec 2017 17:45:03 GMT) (full text, mbox, link).

Message #15 received at 856321-close@bugs.debian.org (full text, mbox, reply):

From: Sandro Knauß <hefee@debian.org>
To: 856321-close@bugs.debian.org
Subject: Bug#856321: fixed in ktnef 4:17.08.3-1
Date: Thu, 21 Dec 2017 17:42:47 +0000
Source: ktnef
Source-Version: 4:17.08.3-1

We believe that the bug you reported is fixed in the latest version of
ktnef, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856321@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sandro Knauß <hefee@debian.org> (supplier of updated ktnef package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 Dec 2017 17:58:13 +0100
Source: ktnef
Binary: libkf5tnef-dev libkf5tnef5
Architecture: source
Version: 4:17.08.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Sandro Knauß <hefee@debian.org>
Description:
 libkf5tnef-dev - library for handling TNEF data - development files
 libkf5tnef5 - library for handling TNEF data
Closes: 856321 884292
Changes:
 ktnef (4:17.08.3-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Sandro Knauß ]
   * New upstream release (17.08.3) (Closes: #856321).
   * Get rid of unnessary break/replaces of kde-l10n-(ast|eo).
   * Bump Standards-Version to 4.1.2 (No changes needed).
   * Mark libkf5tnef-dev not as Multi-Arch: foreign.
   * Update build-deps and deps with the info from cmake.
   * Remove not needed Build-Deps. (Closes: #884292)
   * Bump debhelper build-dep and compat to 10.
   * Update symbols from buildds for 4:17.08.0
   * Set l10npkgs_firstversion_ok to 4:16.04.3-9~
Checksums-Sha1:
 55c090d6890ece0a6a45181ceab4c3280b027f6b 2608 ktnef_17.08.3-1.dsc
 d783fdc6de41d83deea0a3c24842c66a767d6353 300000 ktnef_17.08.3.orig.tar.xz
 3a9939ca3d8b52fb4b82108032d1e5f0bd812a8a 774 ktnef_17.08.3.orig.tar.xz.asc
 a69e781ea80e8b2d553a425e1f2cd9853a0dbdfa 10052 ktnef_17.08.3-1.debian.tar.xz
 2657507e60a32b2be03a01d28a047543a69dd5e2 11624 ktnef_17.08.3-1_source.buildinfo
Checksums-Sha256:
 3e7fc576b045e6ef9d6b15924ddae09a800f19ff3ff0dcabb0bbcaaf09546530 2608 ktnef_17.08.3-1.dsc
 36ca5448c1e65e5a2794e1ab8154ae93ae11087f9e55c627ec50463bd6f2003a 300000 ktnef_17.08.3.orig.tar.xz
 96c2a43cc773cbf974b45ab303b962b743a3ae47979824c7172b91a3f7bf5068 774 ktnef_17.08.3.orig.tar.xz.asc
 c4651fa2c69f4dc690c6cc06cad08cb6194825f538aa76c26c82c34f71384082 10052 ktnef_17.08.3-1.debian.tar.xz
 0569bf053b57fe635a802f5bbb4d0d7c51bf7c9245cb3ffe49c1ef55f3182a2f 11624 ktnef_17.08.3-1_source.buildinfo
Files:
 7241f4054124e408e676a266bd3f21d8 2608 libs optional ktnef_17.08.3-1.dsc
 73455646dd9ca11ae80255a73a8cac0c 300000 libs optional ktnef_17.08.3.orig.tar.xz
 5cbae49e8798d208b5f550c655c32bbc 774 libs optional ktnef_17.08.3.orig.tar.xz.asc
 5bea76984e2d49f2e3038aba6d813f1d 10052 libs optional ktnef_17.08.3-1.debian.tar.xz
 8fe471b3e1e93625b61c9c70fdefc9ef 11624 libs optional ktnef_17.08.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEEOewRoCAWtykmSRoG462wCFBgVjYFAlo76DoRHGhlZmVlQGRl
Ymlhbi5vcmcACgkQ462wCFBgVjbPrQ//W+onNwyRahTGuYhdLGwV3N80VC/sKhFC
WjAXFIrXrFmHvihSzyKOdZJLk4zPMfTfQBfG9Okn3h2vnzUoiv/muJVSj368aKW9
rFuM63LUSJY2lh2tUwxUbi3o1RU2dxpwJhul5YNikYvlvob5F0YpYPF6N/JFJecp
ZUME1mzTEkA2aEAMsGWRsvvMHWHhgsIsu5JecOut42byW1BA1zqGqjMulDlcEPgt
CjDxapTrbSwbdPmu7fBMZ1ZFD9fDkWRKDQEIJxHEp0Bx8Z3PTsAsoygl7BsV72Zg
tdguQEZi579IkrmeL6zbOMUkhAkyCcYEogO5w8hz1KOKKtrY2cw2xM98oEUgSyQY
m93K25PQWM7VOok5TEj0NkUsHkZuRRBjl9QxR2rDg6w2/igiiZzbQTUpa35VA1lN
qwS9FHf/CQ7e7LLXTH/pd2a8byigJtGXKcjkzuLVOmlkppmebeRepg6KaqazToSa
8jlujC/Gn0horLCOcADXb04QRyHzjVKWJ6xVx9dos7M5uZNqZMdcf4unyAGk+FnB
xrGhGYaOZDBX8eMw2mvOlGchajOs1C7JMn6GkVCclTrmRlGsbedQg1V9prZ+frp4
txjvTmngDgwAu+BfktmxQ+ptEMDtECNXXbVMnAe9ka4n+LBgeGmEkiGxp2PGIZ8r
BFYEp3kXRWA=
=eLQf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jan 10 18:15:32 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.