Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-263: KDE Multiple Input Validation Vulnerabilities

November 2, 2009 14:00 GMT
PROBLEM: KDE is prone to multiple input-validation vulnerabilities that affect 'Ark', 'IO Slaves', and 'Kmail'
PLATFORM: KDE 4.3.2 and all previous versions
ABSTRACT: A successful attack will allow arbitrary attacker-supplied JavaScript to run in the context of the victim running the affected application.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-263.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/36845/info

IMPACT ASSESSMENT: This risk is medium. An attacker can exploit these issues by tricking an unsuspecting victim into opening a malicious file. 
Discussion:
KDE, an open source desktop environment, suffers from several bugs that pose a security risk.

Ark input sanitization errors:
The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites.

IO Slaves input sanitization errors:
KDE protocol handlers perform insufficient input validation, an attacker can craft malicious URI that would trigger JavaScript execution. Additionally the 'help://' protocol handler suffer from directory traversal. It should be noted that the scope of this issue is limited as the malicious URIs cannot be embedded in Internet hosted content.

KMail input sanitization errors:
The KDE mail client, KMail, performs insufficient validation which leads to specially crafted email attachments, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites.

The exploitation of these vulnerabilities is unlikely according to Portcullis and KDE but the execution of active content is nonetheless unexpected and might pose a threat.

Solution:
All the reported issues have been patched.  Please see below for more details:

KDE KDE 3.5.10

* KDE xmlhttprequest_3.x.diff
ftp://ftp.kde.org/pub/kde/security_patches

KDE KDE 3.5.5

* KDE xmlhttprequest_3.x.diff
ftp://ftp.kde.org/pub/kde/security_patches

KDE KDE 3.5.6

* KDE xmlhttprequest_3.x.diff
ftp://ftp.kde.org/pub/kde/security_patches

KDE KDE 3.5.7

* KDE xmlhttprequest_3.x.diff
ftp://ftp.kde.org/pub/kde/security_patches

KDE KDE 3.5.8

* KDE xmlhttprequest_3.x.diff
ftp://ftp.kde.org/pub/kde/security_patches

KDE KDE 3.5.9

* KDE xmlhttprequest_3.x.diff
ftp://ftp.kde.org/pub/kde/security_patches
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788