[Group.of.nepali.translators] [Bug 1839432] Re: [CVE] malicious .desktop files (and others) would execute code
** Also affects: kconfig (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: kconfig (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: kconfig (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: kde4libs (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1839432 Title: [CVE] malicious .desktop files (and others) would execute code Status in kconfig package in Ubuntu: New Status in kde4libs package in Ubuntu: New Status in kconfig source package in Xenial: New Status in kde4libs source package in Xenial: New Status in kconfig source package in Bionic: New Status in kde4libs source package in Bionic: New Status in kconfig source package in Disco: New Status in kde4libs source package in Disco: New Bug description: KDE Project Security Advisory = Title: kconfig: malicious .desktop files (and others) would execute code Risk Rating:High CVE:CVE-2019-14744 Versions: KDE Frameworks < 5.61.0 Date: 7 August 2019 Overview The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and configuration files (typically found in ~/.config) was an intentional feature of KConfig, to allow flexible configuration. This could however be abused by malicious people to make the users install such files and get code executed even without intentional action by the user. A file manager trying to find out the icon for a file or directory could end up executing code, or any application using KConfig could end up executing malicious code during its startup phase for instance. After careful consideration, the entire feature of supporting shell commands in KConfig entries has been removed, because we couldn't find an actual use case for it. If you do have an existing use for the feature, please contact us so that we can evaluate whether it would be possible to provide a secure solution. Note that [$e] remains useful for environment variable expansion. Solution KDE Frameworks 5 users: - update to kconfig >= 5.61.0 - or apply the following patch to kconfig: https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22 kdelibs users: apply the following patch to kdelibs 4.14: https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00 Credits === Thanks to Dominik Penner for finding and documenting this issue (we wish however that he would have contacted us before making the issue public) and to David Faure for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kconfig/+bug/1839432/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1597466] Re: dpkg giving warning about '/etc/lsb-release' version number not starting with a digit when there is no apparent problem in the file
** Also affects: ubuntu-gnome-default-settings (Ubuntu Eoan) Importance: Undecided Assignee: Adam Conrad (adconrad) Status: Fix Released ** Also affects: kubuntu-settings (Ubuntu Eoan) Importance: High Status: Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1597466 Title: dpkg giving warning about '/etc/lsb-release' version number not starting with a digit when there is no apparent problem in the file Status in Ubuntu GNOME: Invalid Status in kubuntu-settings package in Ubuntu: Confirmed Status in ubuntu-gnome-default-settings package in Ubuntu: Fix Released Status in kubuntu-settings source package in Xenial: Confirmed Status in ubuntu-gnome-default-settings source package in Xenial: Confirmed Status in kubuntu-settings source package in Eoan: Confirmed Status in ubuntu-gnome-default-settings source package in Eoan: Fix Released Bug description: I have recently noticed (though I believe that during the upgrade from Ubuntu GNOME 15.10 to 16.04 I spotted the message when it got to the point of updating the '/etc/lsb-release' file) that sometimes during an 'apt-get dist-upgrade' operation or similar that dpkg outputs this warning: dpkg: warning: version '/etc/lsb-release' has bad syntax: version number does not start with a digit The contents of my 'lsb-release' file is: DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS" So I assume that this is a dpkg bug as this was the standard file and I don't see any problems in it (I have also compared it to the one on 14.04 and it is in the same format). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-gnome/+bug/1597466/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1768649] Re: [CVE] Access to privileged files
** Changed in: kwallet-pam (Ubuntu Bionic) Status: Fix Released => Triaged ** Changed in: kwallet-pam (Ubuntu Artful) Status: Fix Released => Triaged ** Changed in: kwallet-pam (Ubuntu Xenial) Status: Fix Released => Triaged -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1768649 Title: [CVE] Access to privileged files Status in kwallet-pam package in Ubuntu: Fix Released Status in pam-kwallet package in Ubuntu: Invalid Status in pam-kwallet source package in Trusty: New Status in kwallet-pam source package in Xenial: Triaged Status in kwallet-pam source package in Artful: Triaged Status in kwallet-pam source package in Bionic: Triaged Status in kwallet-pam source package in Cosmic: Fix Released Bug description: KDE Project Security Advisory = Title: kwallet-pam: Access to privileged files Risk Rating:High CVE:CVE-2018-10380 Versions: Plasma < 5.12.6 Date: 4 May 2018 Overview kwallet-pam was doing file writing and permission changing as root that with correct timing and use of carefully crafted symbolic links could allow a non privileged user to become the owner of any file on the system. Workaround == None (other than not using kwallet-pam) Solution Update to Plasma >= 5.12.6 or Plasma >= 5.13.0 Or apply the following patches: Plasma 5.12 https://commits.kde.org/kwallet-pam/2134dec85ce19d6378d03cddfae9e5e464cb24c0 https://commits.kde.org/kwallet-pam/01d4143fda5bddb6dca37b23304dc239a5fb38b5 Plasma 5.8 https://commits.kde.org/kwallet-pam/99abc7fde21f40cc6da5feb6ee766cc46fcca1f8 https://commits.kde.org/kwallet-pam/802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b Credits === Thanks to Fabian Vogt for the report and to Albert Astals Cid for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1768649/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier
** Changed in: plasma-workspace (Ubuntu Bionic) Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1748247 Title: [CVE] Arbitrary command execution in the removable device notifier Status in kde-runtime package in Ubuntu: New Status in plasma-workspace package in Ubuntu: Fix Released Status in kde-runtime source package in Trusty: In Progress Status in plasma-workspace source package in Trusty: In Progress Status in kde-runtime source package in Xenial: In Progress Status in plasma-workspace source package in Xenial: In Progress Status in kde-runtime source package in Artful: In Progress Status in plasma-workspace source package in Artful: In Progress Status in kde-runtime source package in Bionic: New Status in plasma-workspace source package in Bionic: Fix Released Bug description: KDE Project Security Advisory = Title: Plasma Desktop: Arbitrary command execution in the removable device notifier Risk Rating:High CVE:CVE-2018-6791 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder. Workaround == Mount removable devices with Dolphin instead of the device notifier. Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 Plasma 5.9/5.10/5.11: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 Credits === Thanks to ksieluzyckih for the report and to Marco Martin for the fix. Patches for this bug should also contain fixes for CVE-2018-6790: KDE Project Security Advisory = Title: Plasma: Notifications can expose user IP address Risk Rating:Low CVE:CVE-2018-6790 Versions: Plasma < 5.12.0 Date: 8 February 2018 Overview Plasma has support for the Desktop Nofications specification. That specification allows embedding images in notifications. Plasma was not sanitizing the HTML that forms the notification. That allowed for notifications to load a remote image leaking the user IP address. This is in turn made a bit worse by the fact that some chat software doesn't sanitize the text they send to the notification system either meaning that a third party could send a carefully crafted message to a chat room and get the IP addresses of the users in that chat room. Workaround == Disable notifications Solution Update to Plasma >= 5.12.0 or Plasma >= 5.8.9 Or apply the following patches: Plasma 5.8: https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8=5bc696b5abcdb460c1017592e80b2d7f6ed3107c Credits === Thanks to David Edmundson for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde-runtime/+bug/1748247/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1698180] Re: Send Later with Delay bypasses OpenPGP
** Also affects: kf5-messagelib (Ubuntu) Importance: Undecided Status: New ** Changed in: kf5-messagelib (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1698180 Title: Send Later with Delay bypasses OpenPGP Status in kdepim package in Ubuntu: In Progress Status in kf5-messagelib package in Ubuntu: In Progress Status in kdepim source package in Trusty: New Status in kdepim source package in Xenial: New Status in kdepim source package in Zesty: New Status in kdepim source package in Artful: In Progress Bug description: KDE Project Security Advisory = Title: KMail: Send Later with Delay bypasses OpenPGP Risk Rating:Medium CVE:CVE-2017-9604 Versions: kmail, messagelib < 5.5.2 Date: 15 June 2017 Overview KMail’s Send Later with Delay function bypasses OpenPGP signing and encryption, causing the message to be sent unsigned and in plain-text. Solution Update to kmail, messagelib >= 5.5.2 (Released as part of KDE Applications 17.04.2) Or apply the following patches: kmail: https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8 messagelib: https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197 Credits === Thanks to Daniel Aleksandersen for the report and to Laurent Montel for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1698180/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1698180] Re: Send Later with Delay bypasses OpenPGP
** No longer affects: kmail (Ubuntu) ** No longer affects: kmail (Ubuntu Trusty) ** No longer affects: kmail (Ubuntu Xenial) ** No longer affects: kmail (Ubuntu Zesty) ** No longer affects: kmail (Ubuntu Artful) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1698180 Title: Send Later with Delay bypasses OpenPGP Status in kdepim package in Ubuntu: In Progress Status in kf5-messagelib package in Ubuntu: New Status in kdepim source package in Trusty: New Status in kdepim source package in Xenial: New Status in kdepim source package in Zesty: New Status in kdepim source package in Artful: In Progress Bug description: KDE Project Security Advisory = Title: KMail: Send Later with Delay bypasses OpenPGP Risk Rating:Medium CVE:CVE-2017-9604 Versions: kmail, messagelib < 5.5.2 Date: 15 June 2017 Overview KMail’s Send Later with Delay function bypasses OpenPGP signing and encryption, causing the message to be sent unsigned and in plain-text. Solution Update to kmail, messagelib >= 5.5.2 (Released as part of KDE Applications 17.04.2) Or apply the following patches: kmail: https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8 messagelib: https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197 Credits === Thanks to Daniel Aleksandersen for the report and to Laurent Montel for the fix. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1698180/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file
** Also affects: kde4libs (Ubuntu) Importance: Undecided Status: New ** Also affects: kde4libs (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: kio (Ubuntu Zesty) Importance: Undecided Status: New ** Also affects: kde4libs (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: kio (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: kde4libs (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: kio (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: kde4libs (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: kio (Ubuntu Trusty) Importance: Undecided Status: New ** No longer affects: kio (Ubuntu Trusty) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1668871 Title: kio: Information Leak when accessing https when using a malicious PAC file Status in kde4libs package in Ubuntu: New Status in kio package in Ubuntu: New Status in kde4libs source package in Trusty: New Status in kde4libs source package in Xenial: New Status in kio source package in Xenial: New Status in kde4libs source package in Yakkety: New Status in kio source package in Yakkety: New Status in kde4libs source package in Zesty: New Status in kio source package in Zesty: New Bug description: KDE Project Security Advisory = Title: kio: Information Leak when accessing https when using a malicious PAC file Risk Rating:Medium CVE:TBC Versions: kio < 5.32, kdelibs < 4.14.30 Date: 28 February 2017 Overview Using a malicious PAC file, and then using exfiltration methods in the PAC function FindProxyForURL() enables the attacker to expose full https URLs. This is a security issue since https URLs may contain sensitive information in the URL authentication part (user:password@host), and in the path and the query (e.g. access tokens). This attack can be carried out remotely (over the LAN) since proxy settings allow “Detect Proxy Configuration Automatically”. This setting uses WPAD to retrieve the PAC file, and an attacker who has access to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP) and inject his/her own malicious PAC instead of the legitimate one. Solution Update to kio >= 5.32 and kdelibs >= 4.14.30 (when released) Or apply the following patches: kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 kdelibs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Credits === Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg and Amit Klein. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files
** Changed in: ark (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1655507 Title: CVE-2017-5330 - Ark: unintended execution of scripts and executable files Status in ark package in Ubuntu: Fix Released Status in ark source package in Xenial: Confirmed Status in ark source package in Yakkety: Confirmed Status in ark source package in Zesty: Fix Released Bug description: KDE Project Security Advisory = Title: Ark: unintended execution of scripts and executable files Risk Rating:Important CVE:CVE-2017-5330 Versions: ark >= 15.12 Author: Elvis AngelaccioDate: 12 January 2017 Overview Through a (possibly malicious) tar archive that contains an executable shell script or binary, it was possible to execute arbitrary code on target machines. KRun::runUrl() has a runExecutable argument which defaults to true. Ark was using this default value and was also not checking whether an extracted file was executable before passing it to the runUrl() function. Impact == An attacker can send legitimate tar archives with executable scripts or binaries disguised as normal files (say, with README or LICENSE as filenames). The attacker then can trick a user to select those files and click the Open button in the Ark toolbar, which triggers the affected code. Workaround == Don't use the File -> Open functionality of Ark. You can still open archives (Archive->Open) and extract them. Solution Update to Ark >= 16.12.1 For older releases of Ark, apply the following patches: Applications/16.08 branch: https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3 Applications/16.04 branch: https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776 Applications/15.12 branch: https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b Credits === Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for fixing this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp