Bug 3881 – Konqueror authentication credentials leak (KDE <= 3.1.2)

Bug 3881 - Konqueror authentication credentials leak (KDE <= 3.1.2)

Summary:

Konqueror authentication credentials leak (KDE <= 3.1.2)

Status:	CLOSED FIXED

Product:	Security
Classification:	Unclassified
Component:	General / Other Security Issue
Version:	unspecified
Platform:	Other other

Importance:	P2 normal
Assigned To:	games

URL:	http://www.kde.org/info/security/advi...

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2003-08-02 09:42 UTC by Gareth Clay
Modified:	2003-08-18 22:49 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gareth Clay 2003-08-02 09:42:41 UTC

The KDE team have identified a security leak in the Konqueror browser. Here's an excerpt from their 
security advisory: 
 
"Konqueror may inadvertently send authentication credentials to 
websites other than the intended website in clear text via the HTTP-referer 
header when authentication credentials are passed as part of a URL in the form 
of http://user:password@host/" 
 
The fix is to upgrade to KDE 3.1.3, which was released recently. Hopefully it should just be a case of 
bumping some version numbers :)

Comment 1 Seth Woolley 2003-08-02 17:42:46 UTC

Gareth, I'm building a modified kdelibs spell with the patches for testing. 
Since qt also needs to build, give it some time... then you can send a note to
news.sourcemage.org to the security alerts section.  You can do so now as well
and state that an update to test and stable will be forthcoming, if you want.

Comment 2 Gareth Clay 2003-08-02 19:56:31 UTC

Okay I've posted the news. It's the first time I've done it - I hope what I said was okay!

Comment 3 KDE Guru 2003-08-02 20:01:27 UTC

3.1.3 is released.  Let's just go to that.  If I can get 2 postive builds from 
you two, I'll bump devel and have it pulled through since it is a security 
issue.

Comment 4 Gareth Clay 2003-08-02 20:50:43 UTC

Okay Eric, I'll leave 3.1.3 compiling overnight and let you know if it worked in the morning 
(9:00ish GMT ;))

Comment 5 Seth Woolley 2003-08-03 00:11:12 UTC

heh, well, I patched it anyways... need to check my email more often... it's in
devel/test/stable now.  It's good to not disturb the stable people too much
anyways...  But it's good that 3.1.3 is going in soon, my change just gives us a
little bit more breathing room.  I don't have time to compile all of kde right
now though, maybe later.  I'd say one good positive report is good enough to put
it into devel and test, then after some more, put it in stable.

I'm going to look at news.sourcemage.org now.

Comment 6 Gareth Clay 2003-08-03 04:28:53 UTC

Right, I've compiled and installed all of these packages with no problems at 
all: 
 
arts 		1.1.3 
kdeutils 	3.1.3 
quanta 		3.1.3 
kdegraphics 	3.1.3 
kde-i18n 	3.1.3 
kdelibs 	3.1.3 
kdemultimedia 	3.1.3 
kdenetwork 	3.1.3 
kdeaddons 	3.1.3 
kdepim 		3.1.3 
kdeadmin 	3.1.3 
kdeartwork 	3.1.3 
kdesdk 		3.1.3 
kdebase 	3.1.3 
 
The only changes I made to the spells was bumping the version numbers and other 
references to 3.1.2. For some reason kdeartwork was still at 3.1.1 which threw 
my little sed script at first! 
 
There are some remaining packages that I haven't tested. That's because I don't 
normally have them installed and so I didn't have any sources to patch up to 
3.1.3. Downloading them over my 56k connection would have been a bit slow I'm 
afraid. These untested packages are: 
 
kdebindings 
kdeedu 
kdegames 
kdetoys 
 
If someone else with a faster connection could test those, that would be great 
:)

Comment 7 games 2003-08-05 04:54:55 UTC

I am on it...

Comment 8 games 2003-08-18 22:37:33 UTC

damn it i wanted to close these!