Bug 23868 - kio-extras new security issue CVE-2018-19120
Summary: kio-extras new security issue CVE-2018-19120
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-11-20 23:51 CET by David Walser
Modified: 2018-12-06 13:11 CET (History)
5 users (show)

See Also:
Source RPM: kio-extras-17.12.2-4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-11-20 23:51:48 CET
Fedora has issued an advisory on November 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CWRCGXLPJHM4OFD66BINH2FIMYHRCRKF/

This issue with loading remote content in thumbnailers was fixed upstream in 18.08.3 (I think they just disabled loading remote content).

Upstream advisory from November 12:
https://www.kde.org/info/security/advisory-20181012-1.txt
Comment 1 David GEIGER 2018-11-25 16:07:30 CET
Fixed both Cauldron and mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2018-11-25 19:01:50 CET
Advisory:
========================

Updated kio-extras packages fix security vulnerability:

The HTML thumbnailer was incorrectly accessing some content of remote URLs
listed in HTML files. This meant that the owners of the servers referred in HTML
files in your system could have seen in their access logs your IP address every
time the thumbnailer tried to create the thumbnail (CVE-2018-19120).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19120
https://www.kde.org/info/security/advisory-20181012-1.txt
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CWRCGXLPJHM4OFD66BINH2FIMYHRCRKF/
========================

Updated packages in core/updates_testing:
========================
kio-extras-17.12.2-4.1.mga6
libmolletnetwork17-17.12.2-4.1.mga6
libkioarchive5-17.12.2-4.1.mga6
libkioarchive-devel-17.12.2-4.1.mga6
kio-extras-handbook-17.12.2-4.1.mga6

from kio-extras-17.12.2-4.1.mga6.src.rpm

Assignee: kde => qa-bugs

Comment 3 Herman Viaene 2018-11-27 11:16:53 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
This seems to be all KDE (Plasma) stuff, but this laptop has no Plasma installed. But at least the update installed cleanly and no harm seems to be done.

CC: (none) => herman.viaene

Comment 4 Lewis Smith 2018-12-02 19:15:04 CET
Wanting to try M6/64...

PRE-update:
 kio-extras-handbook-17.12.2-4.mga6
 kio-extras-17.12.2-4.mga6
I have spent too long trying to raise the handbook, to discover how to invoke the HTML thumbnailer. The files installed by the handbook are very many:
 /usr/share/doc/HTML/[lang]/kioslave5/*        [nothing in kioslave/]
but not directly viewable. Taking 'en' as an example:
 $ pwd
 /usr/share/doc/HTML/en/kioslave5/
 $ tree
...
├── help
│   ├── documentationnotfound
│   │   ├── index.cache.bz2
│   │   └── index.docbook
│   ├── index.cache.bz2
│   └── index.docbook
...
├── thumbnail
│   ├── index.cache.bz2
│   └── index.docbook
...
I think 'thumbnail' is what we want. BTAIM I found no way from the KDE Help system of locating, let alone reading, it. If anybody can point the way, please do. Otherwise I shall go just for a clean update.

CC: (none) => lewyssmith

Comment 5 Lewis Smith 2018-12-04 20:43:13 CET
M6 x64
This thing is crazy. I already have 
 kio-extras-17.12.2-4.mga6 & kio-extras-handbook-17.12.2-4.mga6
Thinking to add at least libmolletnetwork17 & libkioarchive5, these first wanted an obscure dependency, one of:
 1- libmesaegl1-17.3.9-1.mga6.i586: Files for Mesa (EGL libs) (gosod)
 2- x11-driver-video-vboxvideo-5.2.6-1.mga6.i586: The X.org driver for video in VirtualBox guests (gosod)
Not willingly. 32-bit? And no VBox here.
I accepted 1 which led to it wanting to install *82* pkgs. No thanks.

I have already 'tested' a very similar bug using Kmail with HTML messages containing external elements, and that would be the best I could do beyond a clean update of just the two pkgs cited initially..

@ either David: Your view please.

Keywords: (none) => advisory

Comment 6 David Walser 2018-12-04 20:47:20 CET
I would imagine this is used for creating thumbnails in Dolphin if you have it enabled.  The urpmi question looks like a bug in the vitrualbox package.
Comment 7 Thomas Andrews 2018-12-05 01:52:13 CET
Lewis, libmolletnetwork17-17.12.2-4.1.mga6 and libkioarchive5-17.12.2-4.1.mga6 are the 32-bit libraries, and if you select them it will no doubt seek to bring in many unwanted 32-bit dependencies. 

The 64-bit libraries are lib64molletnetwork17-17.12.2-4.1.mga6 and lib64kioarchive5-17.12.2-4.1.mga6, not on the list in Comment 2. Those are the packages you needed to install. 

If you installed your Plasma system from the 6.1 Live Plasma iso, the vboxvideo driver is installed, even ion real hardware. I don't know why. It doesn't seem to hurt anything, so I've just been leaving it there. I don't *think* it would hurt to remove it, but I don't know.

CC: (none) => andrewsfarm

Comment 8 Thomas Andrews 2018-12-05 02:27:38 CET
Checking before installing anything, and while I have several preview types enabled in Dolphin, html was not among them. But, even after activating html previews, html file previews still did not show. 

I updated the following packages:

kio-extras-17.12.2-4.1.mga6
lib64molletnetwork17-17.12.2-4.1.mga6
lib64kioarchive5-17.12.2-4.1.mga6

and then installed kio-extras-handbook-17.12.2-4.1.mga6.

I then went back to Dolphin, and still had all the previews I did before. I did not have any new ones, including html previews.

Looking further, I see the vulnerability discussed at https://bugzilla.redhat.com/show_bug.cgi?id=1649420 where they state "The HTML thumbnailer has been removed in upcoming KDE Applications 18.12.0 because it was actually not creating thumbnails for files at all."

So I guess that I shouldn't be surprised that I'm not seeing any html thumbnails.

This is OK for 64-bit. Validating.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Lewis Smith 2018-12-05 10:44:43 CET
Thanks TJ for doing this; and reminding me of the obvious question of lib... v  lib64... which trap I had completely forgotten. I am too rusty - barking up wrong trees, not even having explored what uses kio-extras:-
 dolphin
 gwenview
 plasma-desktop
My entire c5 is nonsense (probably also c4)!
Comment 10 Thomas Andrews 2018-12-05 16:42:00 CET
After having the QA Repo tool fail on me a few times when I tried a simple copy-and-paste to enter the needed file list, I have learned to look for the lib64 thing almost automatically. You will, too.
Comment 11 Mageia Robot 2018-12-06 13:11:11 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0477.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.