Security hole in Popular URL-s

4 views
Skip to first unread message

Karai Csaba

unread,
Oct 27, 2005, 10:27:38 AM10/27/05
to krusade...@googlegroups.com
Hi!

Dirk, can you please place this security hole into the homepage?

The problem was that the Popular URL class saved the passwords in
cleartext into krusaderrc file.

The passwords are saved when:

- entering URL-s like 'protocol://user:password@hostname' into the
panel's URL field.

The passwords are not saved when:
- using the FTP new connection dialog
- using 'protocol://user@hostname' and entering the password later

I've committed a patch which solves that problem, so CVS works fine.

Affected versions: 1.60, 1.70-beta1

The bug is not serious as accessing to the krusaderrc file requires
owner permission.

Bye,

Csaba

Shie Erlich

unread,
Oct 27, 2005, 10:37:58 AM10/27/05
to krusade...@googlegroups.com

agreed, but it's a hole none the less.
thanks csaba!




--
Shie Erlich
Krusader Krew
http://www.krusader.org/

Dirk Eschler

unread,
Oct 27, 2005, 2:36:58 PM10/27/05
to krusade...@googlegroups.com
Hi Csaba,

would posting some news about it be sufficient? If so, feel free to do it
yourself. Just go to the "News" forum and post it like a normal thread. It
will appear on the website automatically.

http://www.krusader.org/phpBB/posting.php?mode=newtopic&f=7

--
Dirk

Frank Schoolmeesters

unread,
Oct 27, 2005, 3:22:32 PM10/27/05
to krusade...@googlegroups.com
Added in the news forum.
http://www.krusader.org/phpBB/viewtopic.php?t=1367

Csaba, can you provide a patch for 1.60.0 ?

Dirk, maybe some edits are needed for the "homepage view" of this news tread :)
http://www.krusader.org/index.php
Feel free to edit the news if you think it's needed :-)

Thanks

Frank

Dirk Eschler

unread,
Oct 27, 2005, 3:33:06 PM10/27/05
to krusade...@googlegroups.com
Frank,

i would have appreciated to wait for Csaba with this and find a proper of
announcing the security hole. There was no reason to rush it.

--
Dirk

Frank Schoolmeesters

unread,
Oct 27, 2005, 3:33:41 PM10/27/05
to krusade...@googlegroups.com
On 10/27/05, Frank Schoolmeesters <frank.scho...@gmail.com> wrote:
> Added in the news forum.
> http://www.krusader.org/phpBB/viewtopic.php?t=1367
>
> Csaba, can you provide a patch for 1.60.0 ?

The next question: will we release 1.60.1 that contains this patch?
Maybe 1.60.1 could contain some additional patches for known issues-problems.

http://www.krusader.org/handbook/getting-krusader.html#version_scheme
The third digit if for bugfixes.

Any opinions?

Frank

Frank Schoolmeesters

unread,
Oct 27, 2005, 3:37:01 PM10/27/05
to krusade...@googlegroups.com
Sorry, i wrong interpreted your previous mail.

Frank

Karai Csaba

unread,
Oct 27, 2005, 3:54:10 PM10/27/05
to krusade...@googlegroups.com
Hi Frank!

Thank's for posting the news. I cannot write better of that.

I attach the patch for 1.60.

Bye,

Csaba
popularurls.cpp.diff

Frank Schoolmeesters

unread,
Oct 27, 2005, 3:59:08 PM10/27/05
to krusade...@googlegroups.com
It's actually your text with some minor edits, so you did the hard work,
including fixing the bug.

Frank

On 10/27/05, Karai Csaba <Csaba...@nokia.com> wrote:
> --- popularurls.cpp 2005-04-08 00:09:04.000000000 +0200
> +++ popularurls.cpp 2005-10-27 21:38:24.000000000 +0200
> @@ -46,7 +46,7 @@
> QValueList<int> rankList;
> UrlNodeP p = head;
> while (p) {
> - urlList << p->url.url();
> + urlList << p->url.prettyURL();
> rankList << p->rank;
> p = p->next;
> }
> @@ -69,7 +69,7 @@
> QValueList<int>::Iterator rit;
> for (uit=urlList.begin(), rit=rankList.begin(); uit!=urlList.end() && rit!=rankList.end(); ++uit, ++rit) {
> UrlNodeP node = new UrlNode;
> - node->url = *uit;
> + node->url = KURL::fromPathOrURL( *uit );
> node->rank = *rit;
> appendNode(node);
> ranks.insert(*uit, node);
>
>
>

Shie Erlich

unread,
Oct 27, 2005, 5:47:55 PM10/27/05
to krusade...@googlegroups.com
since we're so close to releasing 1.70.0, i won't release 1.60.1.
the security risk is not major anyway.

Richard/g

unread,
Oct 27, 2005, 9:07:06 PM10/27/05
to krusade...@googlegroups.com
i think it would be correct to replace 1.60.0 with 1.60.1 and remove
1.60.0. There are still lots of people using and downloading
1.60.0, I think. At least there are lots of distros using it.

Kanotix will probably soon be releasing a new version with 1.60.0-2,
from Debian.

Richard.

Frank Schoolmeesters

unread,
Oct 28, 2005, 6:18:02 AM10/28/05
to krusade...@googlegroups.com
On 10/27/05, Shie Erlich <shie....@gmail.com> wrote:
> since we're so close to releasing 1.70.0, i won't release 1.60.1.
> the security risk is not major anyway.
>

I agree that releasing 1.60.1 is maybe overkill but we need to provide
at least a security patch for 1.60.0 as a download,
since 1.60.0 will be used for several years.
Also by removing 1.60.0 as a download and replace it by 1.60.1 is much
more secure, so long 1.60.0 is available for downlad it will be downloaded,
and some people would not be aware of the security patch.

Usually it will take about 1 year before 1.70.0 will be used by
serveral distro's,
and if you take a lifetime of 5 years, it means that 1.70.0 will be used
somewhere in the world for about 6 years.
Btw. on an old computer i have krusader-1.30 :-)

Also we need to think howto deal with security holes,
maybe some day we will find a major security hole,
when we have a *security hole warning plan*
we can respond much more faster.

On 10/28/05, Richard/g <richar...@gmail.com> wrote:
> i think it would be correct to replace 1.60.0 with 1.60.1 and remove
> 1.60.0. There are still lots of people using and downloading
> 1.60.0, I think. At least there are lots of distros using it.
>
> Kanotix will probably soon be releasing a new version with 1.60.0-2,
> from Debian.
>
> Richard.
>
Debian sid (unstable) is already using 1.60.0-3, Kanotix is a bit behind
btw. 1.60.0-3 does not contain a patch for this issue, it was released
at 2005-09-12.

I have sended a bug report to the Debian Bugtracker system:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=336169
http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=krusader
So 1.60.0-4 or 1.70.0-1 will solve this issue.

Actually we need todo this for several disto's
http://distrowatch.com/search.php?pkg=krusader&pkgver=1.60.0#pkgsearch

Also i think we need to send a message + patch to the krusader-news mailinglist,
it's also intended to inform about security holes,
http://www.krusader.org/handbook/faq_general.html#faqg_mail_list
All package maintainers of krusader should be at least be subscribed to
the krusader-news list,
but it can't hurt to send bugreports to several disto's that offer 1.60.0
since not all packagers are subscribed to the krusader-news list.
Maybe some distro's have a secu...@distro.foo e-mail adress where we
can send this info?
We need think about this, so we have a *security hole warning plan*
for the future.

Any opinions ?

bye,

Frank

Shie Erlich

unread,
Oct 28, 2005, 6:01:27 PM10/28/05
to krusade...@googlegroups.com
On 10/28/05, Frank Schoolmeesters <frank.scho...@gmail.com> wrote:

On 10/27/05, Shie Erlich <shie....@gmail.com> wrote:
> since we're so close to releasing 1.70.0, i won't release 1.60.1.
>  the security risk is not major anyway.
>

I agree that releasing 1.60.1 is maybe overkill but we need to provide
at least a security patch for 1.60.0 as a download,
since 1.60.0 will be used for several years.


ok. then it's settled. we'll release 1.60.1, but it will contains this fix only.
the reason is simple: i don't want to maintain two branches.

i'm currently away from my machine (at my parents' house), so if anyone can open
the tarball, apply csaba's patch, repackage and send to dirk, i'm sure he'll
post it *instead* of 1.60.0. if no one does so, i'll do it myself tomorrow.

Frank Schoolmeesters

unread,
Oct 29, 2005, 7:14:06 AM10/29/05
to krusade...@googlegroups.com
I agree, we don't need or want to maintain 2 branches.

Maybe creating a patch subdir in the 1.60.1 tarball is a nice solution.
so it will contain Csaba's security patch.
If we find a new security problem in the future ( i hope not, but it's
always possible), it's easy to update 1.60.0 to 1.60.x
Just apply all patches of the patch subdir.

Thanks

Frank

Shie Erlich

unread,
Oct 29, 2005, 8:05:38 AM10/29/05
to krusade...@googlegroups.com
On 10/29/05, Frank Schoolmeesters <frank.scho...@gmail.com> wrote:

I agree, we don't need or want to maintain 2 branches.

Maybe creating a patch subdir in the 1.60.1 tarball is a nice solution.
so it will contain Csaba's security patch.
If we find a new security problem in the future ( i hope not, but it's
always possible), it's easy to update 1.60.0 to 1.60.x
Just apply all patches of the patch subdir.


actually, no. if we release a fixed version, it should  have all patches
applied, so that joe user will just compile. he doesn't have to know about patches.

Dirk Eschler

unread,
Oct 29, 2005, 9:28:22 AM10/29/05
to krusade...@googlegroups.com
Where is the version number set? When i set it in configure.in, a new
subdirectory called krusader-1.60.1 is generated on make dist. That can't be
right.

--
Dirk

Frank Schoolmeesters

unread,
Oct 29, 2005, 3:00:06 PM10/29/05
to krusade...@googlegroups.com
On 10/29/05, Shie Erlich <shie....@gmail.com> wrote:
>
>
Actually i wrong expressed myself here,
the patch is applied in the source, so it's a fixed version,
and the patchdir (or rootdir) contains the patch
as documentation about the security problem.
So it's easy to compare the source between
1.60.0 and 1.60.x without cvs.

rpm and deb provides tools to apply patches to the source,
maybe it's possible that ./configure and make can apply patches
before the compilation starts (not shure about this) but for
krusader it is to much work for a small patch.

Frank

Shie Erlich

unread,
Oct 29, 2005, 3:16:38 PM10/29/05
to krusade...@googlegroups.com
in configure.in.in

shie

Dirk Eschler

unread,
Oct 29, 2005, 4:14:36 PM10/29/05
to krusade...@googlegroups.com
Am Samstag, 29. Oktober 2005 21:16 schrieb Shie Erlich:
> in configure.in.in <http://configure.in.in>
>
> shie

Ok, i created the package. Checked it twice to be sure it's fine. Gonna
release it now..

--
Dirk

Dirk Eschler

unread,
Oct 29, 2005, 5:08:20 PM10/29/05
to krusade...@googlegroups.com
Done.

--
Dirk

Shie Erlich

unread,
Oct 29, 2005, 5:41:49 PM10/29/05
to krusade...@googlegroups.com
thanks!
please add a news entry that tells about it.

shie


On 10/29/05, Dirk Eschler <dirk.e...@gmx.net> wrote:

Dirk Eschler

unread,
Oct 29, 2005, 6:08:19 PM10/29/05
to krusade...@googlegroups.com
Am Samstag, 29. Oktober 2005 23:41 schrieb Shie Erlich:
> thanks!
> please add a news entry that tells about it.
>
> shie

It's already there. ;)

--
Dirk

Rafi Yanai

unread,
Oct 30, 2005, 7:42:00 AM10/30/05
to krusade...@googlegroups.com
Great work.

I don't think that this specific security hole is a real threat, but it was a good practice run in case a bigger more serious one is found in the future.
and when ever we'll search "security hole" in gmail - we'll find this thread.

Rafi.

Frank Schoolmeesters

unread,
Oct 30, 2005, 2:58:53 PM10/30/05
to krusade...@googlegroups.com
Great work.

I agree with Rafi here, it was a good practice, many projects
(sometimes IMHO very important applications or libs)
say often "upgrade to latest version" but many end users can't do that,
so they keep using software with a security holes inside, or package
maintainers need to follow the latest events and backport security patches.

Dirk, the deb is available at:
http://users.telenet.be/franks.website/downloads/krusader_1.60.1-sarge1/krusader_1.60.1-sarge1_i386.deb
Please also update klik://krusader-latest

Thanks

Frank

Dirk Eschler

unread,
Oct 30, 2005, 4:26:03 PM10/30/05
to krusade...@googlegroups.com
Am Sonntag, 30. Oktober 2005 20:58 schrieb Frank Schoolmeesters:
> Dirk, the deb is available at:
> http://users.telenet.be/franks.website/downloads/krusader_1.60.1-sarge1/kru
>sader_1.60.1-sarge1_i386.deb Please also update klik://krusader-latest

Done.

--
Dirk

Frank Schoolmeesters

unread,
Oct 30, 2005, 4:43:30 PM10/30/05
to krusade...@googlegroups.com
On 10/30/05, Dirk Eschler <dirk.e...@gmx.net> wrote:
>
Great job!

Thanks

Frank

Frank Schoolmeesters

unread,
Nov 2, 2005, 2:20:12 PM11/2/05
to krusade...@googlegroups.com
1.60.1 is already available in 3 distro's :-)

http://distrowatch.com/search.php?pkg=krusader&pkgver=1.60.1#pkgsearch

• Ark Linux: dockyard
• Lunar Linux: moonbase
• SUSE LINUX: edge

bye,

Frank

On 10/30/05, Rafi Yanai <rafi....@gmail.com> wrote:

Frank Schoolmeesters

unread,
Nov 30, 2005, 4:32:23 AM11/30/05
to krusade...@googlegroups.com
Hi guys,

I have created CVE-2005-3856 for this security issue
at http://www.cve.mitre.org/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3856

It allows that everyone e.g. linux distro's can respond asap
on security vulnerabilities.
I think we should use it every time we find a security
vulnerabilitie in the krusader code.

For more info please take a look at:
http://www.cve.mitre.org/about/

bye,

Frank


On 10/27/05, Karai Csaba <Csaba...@nokia.com> wrote:
>
> Hi!
>
> Dirk, can you please place this security hole into the homepage?
>
> The problem was that the Popular URL class saved the passwords in
> cleartext into krusaderrc file.
>
> The passwords are saved when:
>
> - entering URL-s like 'protocol://user:password@hostname' into the
> panel's URL field.
>
> The passwords are not saved when:
> - using the FTP new connection dialog
> - using 'protocol://user@hostname' and entering the password later
>
> I've committed a patch which solves that problem, so CVS works fine.
>
> Affected versions: 1.60, 1.70-beta1
>
> The bug is not serious as accessing to the krusaderrc file requires
> owner permission.
>
> Bye,
>
> Csaba
>
Reply all
Reply to author
Forward
0 new messages