Bug 7999 - kdelibs4 new security issues CVE-2012-4514 and CVE-2012-4515
: kdelibs4 new security issues CVE-2012-4514 and CVE-2012-4515
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/525443/
: has_procedure mga2-64-OK mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-06 19:14 CET by David Walser
Modified: 2013-02-16 20:29 CET (History)
7 users (show)

See Also:
Source RPM: kdelibs4
CVE:
Status comment:


Attachments

Description David Walser 2012-11-06 19:14:54 CET
RedHat has issued an advisory on October 30:
https://rhn.redhat.com/errata/RHSA-2012-1416.html

It is unclear which versions are affected.

Nicolas has also checked in a patch to Mageia 2 SVN for CVE-2012-4515.
Comment 1 David Walser 2012-11-16 19:20:47 CET
Fedora has issued an advisory on November 1:
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092451.html

This adds CVE-2012-4514 and CVE-2012-4515.
Comment 2 David Walser 2012-11-16 19:21:01 CET
(In reply to comment #1)
> Fedora has issued an advisory on November 1:
> http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092451.html
> 
> This adds CVE-2012-4514 and CVE-2012-4515.

from http://lwn.net/Vulnerabilities/525443/
Comment 3 David Walser 2012-11-30 17:44:15 CET
OpenSuSE has issued an advisory for these on November 28:
http://lists.opensuse.org/opensuse-updates/2012-11/msg00088.html
Comment 4 David Walser 2013-01-03 15:17:29 CET
I'm assuming these issues no longer affect the version in Cauldron.

Mageia 1 is EOL.
Comment 5 David Walser 2013-02-06 23:31:03 CET
Nicolas has fixed CVE-2012-4514 in Mageia 2 SVN.
Comment 6 David Walser 2013-02-07 00:03:01 CET
Nicolas said CVE-2012-4512 was fixed in the 4.8.5 update.

He's investigating the status of CVE-2012-4513 now.
Comment 7 David Walser 2013-02-13 00:29:14 CET
The code in 4.8 is completely different, but the PoC in the attachment:
http://seclists.org/oss-sec/2012/q4/171

does not crash Konqueror, so we're not vulnerable to CVE-2012-4513.

Changing the bug URL since we're not vulnerable to the ones from the original report (although Mageia 1 is):
http://lwn.net/Vulnerabilities/522155/

Seeing as we have a patched package built that fixes CVE-2012-451[45], this is ready for QA.

Advisory:
========================

Updated kdelibs4 packages fix security vulnerabilities:

rendering/render_replaced.cpp in Konqueror in KDE before 4.9.3 allows remote
attackers to cause a denial of service (NULL pointer dereference) via a
crafted web page, related to "trying to reuse a frame with a null part"
(CVE-2012-4514).

Use-after-free vulnerability in khtml/rendering/render_replaced.cpp in
Konqueror in KDE 4.7.3, when the context menu is shown, allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code by accessing an iframe when it is being updated
(CVE-2012-4515).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4514
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4515
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092451.html
========================

Updated packages in core/updates_testing:
========================
kdelibs4-core-4.8.5-1.6.mga2
kdelibs4-devel-4.8.5-1.6.mga2
kdelibs4-handbooks-4.8.5-1.6.mga2
libkcmutils4-4.8.5-1.6.mga2
libkde3support4-4.8.5-1.6.mga2
libkdeclarative5-4.8.5-1.6.mga2
libkdecore5-4.8.5-1.6.mga2
libkdefakes5-4.8.5-1.6.mga2
libkdesu5-4.8.5-1.6.mga2
libkdeui5-4.8.5-1.6.mga2
libkdewebkit5-4.8.5-1.6.mga2
libkdnssd4-4.8.5-1.6.mga2
libkemoticons4-4.8.5-1.6.mga2
libkfile4-4.8.5-1.6.mga2
libkhtml5-4.8.5-1.6.mga2
libkidletime4-4.8.5-1.6.mga2
libkimproxy4-4.8.5-1.6.mga2
libkio5-4.8.5-1.6.mga2
libkjs4-4.8.5-1.6.mga2
libkjsapi4-4.8.5-1.6.mga2
libkjsembed4-4.8.5-1.6.mga2
libkmediaplayer4-4.8.5-1.6.mga2
libknewstuff2_4-4.8.5-1.6.mga2
libknewstuff3_4-4.8.5-1.6.mga2
libknotifyconfig4-4.8.5-1.6.mga2
libkntlm4-4.8.5-1.6.mga2
libkparts4-4.8.5-1.6.mga2
libkprintutils4-4.8.5-1.6.mga2
libkpty4-4.8.5-1.6.mga2
libkrosscore4-4.8.5-1.6.mga2
libkrossui4-4.8.5-1.6.mga2
libktexteditor4-4.8.5-1.6.mga2
libkunitconversion4-4.8.5-1.6.mga2
libkunittest4-4.8.5-1.6.mga2
libkutils4-4.8.5-1.6.mga2
libnepomuk4-4.8.5-1.6.mga2
libnepomukquery4-4.8.5-1.6.mga2
libnepomukutils4-4.8.5-1.6.mga2
libplasma3-4.8.5-1.6.mga2
libsolid4-4.8.5-1.6.mga2
libthreadweaver4-4.8.5-1.6.mga2

from kdelibs4-4.8.5-1.6.mga2.src.rpm
Comment 8 David Walser 2013-02-13 00:45:37 CET
For Mageia 1, strangely enough, the patch to fix CVE-2012-4512 upstream is exactly the same as the patch to fix CVE-2010-0046 already in the package.

Patches for CVE-2012-451[3-5] checked into Mageia 1 SVN.
Comment 9 claire robinson 2013-02-13 11:07:14 CET
Adding dglent in CC as he reported cve-2012-4514 upstream

Dimitrios do you still get the crash? If so could you please test with these new rpms in core/updates_testing and see if it cures it.

Thanks!
Comment 10 claire robinson 2013-02-13 11:31:47 CET
Possible PoC's for CVE-2012-4514 listed here: 
https://bugs.kde.org/show_bug.cgi?id=271528

Tried with samba-swat and the nas login page. I've been unable to reproduce x86_64

DGlent your bug was this one: https://bugs.kde.org/show_bug.cgi?id=280912 which is the first duplicate.
Comment 11 claire robinson 2013-02-13 11:50:41 CET
No PoC's for CVE-2012-4515

Testing mga2 64

Just checking kde apps like konqueror work ok with the update.
Comment 12 claire robinson 2013-02-13 12:08:49 CET
konqueror, quassel, konversation, digikam, kruler, dragon player, gwenview all ok


Testing complete mga2 64
Comment 13 Carolyn Rowse 2013-02-13 22:22:32 CET
Checked some KDE apps work in 32-bit with the update:

Konversation, Konsole, KCalc, KTimer, Gwenview, Okular, KWrite seem fine.

Carolyn
Comment 14 claire robinson 2013-02-14 10:29:01 CET
Thanks Carolyn

Validating

SRPM & advisory in comment 7

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 15 Dimitrios Glentadakis 2013-02-16 11:39:07 CET
(In reply to comment #9)
> Adding dglent in CC as he reported cve-2012-4514 upstream
> 
> Dimitrios do you still get the crash? If so could you please test with these
> new rpms in core/updates_testing and see if it cures it.
> 
> Thanks!

No, i don't have the crash any more

Thanks
Comment 16 Thomas Backlund 2013-02-16 20:29:22 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0054

Note You need to log in before you can comment on or make changes to this bug.