[Group.of.nepali.translators] [Bug 1839432] Re: [CVE] malicious .desktop files (and others) would execute code

[Rik Mills]

** Also affects: kconfig (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: kconfig (Ubuntu Disco)
   Importance: Undecided
   Status: New

** Also affects: kconfig (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: kde4libs (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1839432

Title:
  [CVE] malicious .desktop files (and others) would execute code

Status in kconfig package in Ubuntu:
  New
Status in kde4libs package in Ubuntu:
  New
Status in kconfig source package in Xenial:
  New
Status in kde4libs source package in Xenial:
  New
Status in kconfig source package in Bionic:
  New
Status in kde4libs source package in Bionic:
  New
Status in kconfig source package in Disco:
  New
Status in kde4libs source package in Disco:
  New

Bug description:
  KDE Project Security Advisory
  =

  Title:  kconfig: malicious .desktop files (and others) would execute 
code
  Risk Rating:High
  CVE:CVE-2019-14744
  Versions:   KDE Frameworks < 5.61.0
  Date:   7 August 2019

  Overview
  
  The syntax Key[$e]=$(shell command) in *.desktop files, .directory files, and 
configuration files
  (typically found in ~/.config) was an intentional feature of KConfig, to 
allow flexible configuration.
  This could however be abused by malicious people to make the users install 
such files and get code
  executed even without intentional action by the user. A file manager trying 
to find out the icon for
  a file or directory could end up executing code, or any application using 
KConfig could end up
  executing malicious code during its startup phase for instance.

  After careful consideration, the entire feature of supporting shell commands 
in KConfig entries has been removed,
  because we couldn't find an actual use case for it. If you do have an 
existing use for the feature, please
  contact us so that we can evaluate whether it would be possible to provide a 
secure solution.

  Note that [$e] remains useful for environment variable expansion.

  Solution
  
  KDE Frameworks 5 users:
  - update to kconfig >= 5.61.0
  - or apply the following patch to kconfig:
  
https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22

  kdelibs users: apply the following patch to kdelibs 4.14:
  
https://cgit.kde.org/kdelibs.git/commit/?id=2c3762feddf7e66cf6b64d9058f625a715694a00

  Credits
  ===
  Thanks to Dominik Penner for finding and documenting this issue (we wish 
however that he would
  have contacted us before making the issue public) and to David Faure for the 
fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kconfig/+bug/1839432/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1597466] Re: dpkg giving warning about '/etc/lsb-release' version number not starting with a digit when there is no apparent problem in the file

[Rik Mills]

** Also affects: ubuntu-gnome-default-settings (Ubuntu Eoan)
   Importance: Undecided
 Assignee: Adam Conrad (adconrad)
   Status: Fix Released

** Also affects: kubuntu-settings (Ubuntu Eoan)
   Importance: High
   Status: Confirmed

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1597466

Title:
  dpkg giving warning about '/etc/lsb-release' version number not
  starting with a digit when there is no apparent problem in the file

Status in Ubuntu GNOME:
  Invalid
Status in kubuntu-settings package in Ubuntu:
  Confirmed
Status in ubuntu-gnome-default-settings package in Ubuntu:
  Fix Released
Status in kubuntu-settings source package in Xenial:
  Confirmed
Status in ubuntu-gnome-default-settings source package in Xenial:
  Confirmed
Status in kubuntu-settings source package in Eoan:
  Confirmed
Status in ubuntu-gnome-default-settings source package in Eoan:
  Fix Released

Bug description:
  I have recently noticed (though I believe that during the upgrade from Ubuntu 
GNOME 15.10 to 16.04 I spotted the message when it got to the point of updating 
the '/etc/lsb-release' file) that sometimes 
  during an 'apt-get dist-upgrade' operation or similar that dpkg outputs this 
warning:

  dpkg: warning: version '/etc/lsb-release' has bad syntax: version
  number does not start with a digit

  The contents of my 'lsb-release' file is:

  DISTRIB_ID=Ubuntu
  DISTRIB_RELEASE=16.04
  DISTRIB_CODENAME=xenial
  DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"

  So I assume that this is a dpkg bug as this was the standard file and
  I don't see any problems in it (I have also compared it to the one on
  14.04 and it is in the same format).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-gnome/+bug/1597466/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1768649] Re: [CVE] Access to privileged files

[Rik Mills]

** Changed in: kwallet-pam (Ubuntu Bionic)
   Status: Fix Released => Triaged

** Changed in: kwallet-pam (Ubuntu Artful)
   Status: Fix Released => Triaged

** Changed in: kwallet-pam (Ubuntu Xenial)
   Status: Fix Released => Triaged

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1768649

Title:
  [CVE] Access to privileged files

Status in kwallet-pam package in Ubuntu:
  Fix Released
Status in pam-kwallet package in Ubuntu:
  Invalid
Status in pam-kwallet source package in Trusty:
  New
Status in kwallet-pam source package in Xenial:
  Triaged
Status in kwallet-pam source package in Artful:
  Triaged
Status in kwallet-pam source package in Bionic:
  Triaged
Status in kwallet-pam source package in Cosmic:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  kwallet-pam: Access to privileged files
  Risk Rating:High
  CVE:CVE-2018-10380
  Versions:   Plasma < 5.12.6
  Date:   4 May 2018

  
  Overview
  
  kwallet-pam was doing file writing and permission changing
  as root that with correct timing and use of carefully
  crafted symbolic links could allow a non privileged user
  to become the owner of any file on the system.

  Workaround
  ==
  None (other than not using kwallet-pam)

  Solution
  
  Update to Plasma >= 5.12.6 or Plasma >= 5.13.0

  Or apply the following patches:
  Plasma 5.12
  
https://commits.kde.org/kwallet-pam/2134dec85ce19d6378d03cddfae9e5e464cb24c0
  
https://commits.kde.org/kwallet-pam/01d4143fda5bddb6dca37b23304dc239a5fb38b5

  Plasma 5.8
  
https://commits.kde.org/kwallet-pam/99abc7fde21f40cc6da5feb6ee766cc46fcca1f8
  
https://commits.kde.org/kwallet-pam/802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b

  
  Credits
  ===
  Thanks to Fabian Vogt for the report and to Albert Astals Cid for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1768649/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1748247] Re: [CVE] Arbitrary command execution in the removable device notifier

[Rik Mills]

** Changed in: plasma-workspace (Ubuntu Bionic)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748247

Title:
  [CVE] Arbitrary command execution in the removable device notifier

Status in kde-runtime package in Ubuntu:
  New
Status in plasma-workspace package in Ubuntu:
  Fix Released
Status in kde-runtime source package in Trusty:
  In Progress
Status in plasma-workspace source package in Trusty:
  In Progress
Status in kde-runtime source package in Xenial:
  In Progress
Status in plasma-workspace source package in Xenial:
  In Progress
Status in kde-runtime source package in Artful:
  In Progress
Status in plasma-workspace source package in Artful:
  In Progress
Status in kde-runtime source package in Bionic:
  New
Status in plasma-workspace source package in Bionic:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  Plasma Desktop: Arbitrary command execution in the removable 
device notifier
  Risk Rating:High
  CVE:CVE-2018-6791
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  
  Overview
  
  When a vfat thumbdrive which contains `` or $() in its volume label is plugged
  and mounted trough the device notifier, it's interpreted as a shell command,
  leaving a possibility of arbitrary commands execution. an example of offending
  volume label is "$(touch b)" which will create a file called b in the
  home folder.

  Workaround
  ==
  Mount removable devices with Dolphin instead of the device notifier.

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8:
  
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
  Plasma 5.9/5.10/5.11:
  
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57

  Credits
  ===
  Thanks to ksieluzyckih for the report and to Marco Martin for the fix.

  Patches for this bug should also contain fixes for CVE-2018-6790:

  KDE Project Security Advisory
  =

  Title:  Plasma: Notifications can expose user IP address
  Risk Rating:Low
  CVE:CVE-2018-6790
  Versions:   Plasma < 5.12.0
  Date:   8 February 2018

  
  Overview
  
  Plasma has support for the Desktop Nofications specification. That 
specification allows
  embedding images in notifications. Plasma was not sanitizing the HTML that 
forms the notification.
  That allowed for notifications to load a remote image leaking the user IP 
address. This is in turn
  made a bit worse by the fact that some chat software doesn't sanitize the 
text they send to the
  notification system either meaning that a third party could send a carefully 
crafted message
  to a chat room and get the IP addresses of the users in that chat room.

  Workaround
  ==
  Disable notifications

  Solution
  
  Update to Plasma >= 5.12.0 or Plasma >= 5.8.9

  Or apply the following patches:
  Plasma 5.8: 
https://cgit.kde.org/plasma-workspace.git/commit/?h=Plasma/5.8=5bc696b5abcdb460c1017592e80b2d7f6ed3107c

  Credits
  ===
  Thanks to David Edmundson for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kde-runtime/+bug/1748247/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1698180] Re: Send Later with Delay bypasses OpenPGP

[Rik Mills]

** Also affects: kf5-messagelib (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: kf5-messagelib (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1698180

Title:
  Send Later with Delay bypasses OpenPGP

Status in kdepim package in Ubuntu:
  In Progress
Status in kf5-messagelib package in Ubuntu:
  In Progress
Status in kdepim source package in Trusty:
  New
Status in kdepim source package in Xenial:
  New
Status in kdepim source package in Zesty:
  New
Status in kdepim source package in Artful:
  In Progress

Bug description:
  KDE Project Security Advisory
  =

  Title:  KMail: Send Later with Delay bypasses OpenPGP
  Risk Rating:Medium
  CVE:CVE-2017-9604
  Versions:   kmail, messagelib < 5.5.2
  Date:   15 June 2017

  
  Overview
  
  KMail’s Send Later with Delay function bypasses OpenPGP signing and
  encryption, causing the message to be sent unsigned and in plain-text.

  Solution
  
  Update to kmail, messagelib >= 5.5.2 (Released as part of KDE Applications 
17.04.2)

  Or apply the following patches:
   kmail: 
https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8
  messagelib: 
https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197

  Credits
  ===
  Thanks to Daniel Aleksandersen for the report and to Laurent Montel for the 
fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1698180/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1698180] Re: Send Later with Delay bypasses OpenPGP

[Rik Mills]

** No longer affects: kmail (Ubuntu)

** No longer affects: kmail (Ubuntu Trusty)

** No longer affects: kmail (Ubuntu Xenial)

** No longer affects: kmail (Ubuntu Zesty)

** No longer affects: kmail (Ubuntu Artful)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1698180

Title:
  Send Later with Delay bypasses OpenPGP

Status in kdepim package in Ubuntu:
  In Progress
Status in kf5-messagelib package in Ubuntu:
  New
Status in kdepim source package in Trusty:
  New
Status in kdepim source package in Xenial:
  New
Status in kdepim source package in Zesty:
  New
Status in kdepim source package in Artful:
  In Progress

Bug description:
  KDE Project Security Advisory
  =

  Title:  KMail: Send Later with Delay bypasses OpenPGP
  Risk Rating:Medium
  CVE:CVE-2017-9604
  Versions:   kmail, messagelib < 5.5.2
  Date:   15 June 2017

  
  Overview
  
  KMail’s Send Later with Delay function bypasses OpenPGP signing and
  encryption, causing the message to be sent unsigned and in plain-text.

  Solution
  
  Update to kmail, messagelib >= 5.5.2 (Released as part of KDE Applications 
17.04.2)

  Or apply the following patches:
   kmail: 
https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8
  messagelib: 
https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197

  Credits
  ===
  Thanks to Daniel Aleksandersen for the report and to Laurent Montel for the 
fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kdepim/+bug/1698180/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1668871] Re: kio: Information Leak when accessing https when using a malicious PAC file

[Rik Mills]

** Also affects: kde4libs (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: kde4libs (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: kio (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: kde4libs (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: kio (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: kde4libs (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: kio (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: kde4libs (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: kio (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** No longer affects: kio (Ubuntu Trusty)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1668871

Title:
  kio: Information Leak when accessing https when using a malicious PAC
  file

Status in kde4libs package in Ubuntu:
  New
Status in kio package in Ubuntu:
  New
Status in kde4libs source package in Trusty:
  New
Status in kde4libs source package in Xenial:
  New
Status in kio source package in Xenial:
  New
Status in kde4libs source package in Yakkety:
  New
Status in kio source package in Yakkety:
  New
Status in kde4libs source package in Zesty:
  New
Status in kio source package in Zesty:
  New

Bug description:
  KDE Project Security Advisory
  =

  Title:  kio: Information Leak when accessing https when using a 
malicious PAC file
  Risk Rating:Medium
  CVE:TBC
  Versions:   kio < 5.32, kdelibs < 4.14.30
  Date:   28 February 2017

  
  Overview
  
  Using a malicious PAC file, and then using exfiltration methods in the PAC
  function FindProxyForURL() enables the attacker to expose full https URLs.

  This is a security issue since https URLs may contain sensitive
  information in the URL authentication part (user:password@host), and in the
  path and the query (e.g. access tokens).

  This attack can be carried out remotely (over the LAN) since proxy settings
  allow “Detect Proxy Configuration Automatically”.
  This setting uses WPAD to retrieve the PAC file, and an attacker who has 
access
  to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
  and inject his/her own malicious PAC instead of the legitimate one.

  Solution
  
  Update to kio >= 5.32 and kdelibs >= 4.14.30 (when released)

  Or apply the following patches:
  kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
  kdelibs: 
https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559

  Credits
  ===
  Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
  and Amit Klein.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1668871/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1655507] Re: CVE-2017-5330 - Ark: unintended execution of scripts and executable files

[Rik Mills]

** Changed in: ark (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1655507

Title:
  CVE-2017-5330 - Ark: unintended execution of scripts and executable
  files

Status in ark package in Ubuntu:
  Fix Released
Status in ark source package in Xenial:
  Confirmed
Status in ark source package in Yakkety:
  Confirmed
Status in ark source package in Zesty:
  Fix Released

Bug description:
  KDE Project Security Advisory
  =

  Title:  Ark: unintended execution of scripts and executable files
  Risk Rating:Important
  CVE:CVE-2017-5330
  Versions:   ark >= 15.12
  Author: Elvis Angelaccio 
  Date:   12 January 2017

  Overview
  

  Through a (possibly malicious) tar archive that contains an
  executable shell script or binary, it was possible to execute
  arbitrary code on target machines.
  KRun::runUrl() has a runExecutable argument which defaults to true.
  Ark was using this default value and was also not checking
  whether an extracted file was executable before passing it to the
  runUrl() function.

  Impact
  ==

  An attacker can send legitimate tar archives with executable scripts or
  binaries disguised as normal files (say, with README or LICENSE as filenames).
  The attacker then can trick a user to select those files and click
  the Open button in the Ark toolbar, which triggers the affected code.

  Workaround
  ==

  Don't use the File -> Open functionality of Ark.
  You can still open archives (Archive->Open) and extract them.

  Solution
  

  Update to Ark >= 16.12.1

  For older releases of Ark, apply the following patches:

  Applications/16.08 branch: 
https://commits.kde.org/ark/49ce94df19607e234525afda5ad4190ce35300c3
  Applications/16.04 branch: 
https://commits.kde.org/ark/6b6da3f2e6ac5ca12b46d208d532948c1dbb8776
  Applications/15.12 branch: 
https://commits.kde.org/ark/e2448360eca1b81eb59fffca9584b0fc5fbd8e5b

  Credits
  ===

  Thanks to Fabian Vogt for reporting this issue, Elvis Angelaccio for
  fixing this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ark/+bug/1655507/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp