Fwd: KDE Project Security Advisory: Konversation: Crash in IRC message parsing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fwd: KDE Project Security Advisory: Konversation: Crash in IRC message parsing

Simon Quigley-3
Fixes for all supported (affected) releases (Trusty-Artful) of Kubuntu
are in ppa:tsimonq2/security-builds and fixes for the packages in
Backports are in ppa:kubuntu-ppa/backports-landing. If you use
Konversation, please test these packages to make sure they work, and
report back by either pinging me on IRC (tsimonq2 in #kubuntu-devel on
freenode) or replying to this email.

If nobody reports back for any specific release, on Tuesday afternoon
(USA time), I'll test the updates myself (and push them and see if the
security team can push the ones from my PPA into the archive), but I
would prefer if people who already have experience with Konversation
would test these packages.

Thanks!

-------- Forwarded Message --------
Subject: KDE Project Security Advisory: Konversation: Crash in IRC
message parsing
Date: Sun, 12 Nov 2017 12:18:05 +0100
From: Albert Astals Cid <[hidden email]>
To: [hidden email]

KDE Project Security Advisory
=============================

Title:          Konversation: Crash in IRC message parsing
Risk Rating:    High
CVE:            CVE-2017-15923
Versions:       konversation <= 1.7.2
Date:           12 November 2017


Overview
========
Konversation has support for colors in IRC messages. Any malicious user
connected to the
same IRC network can send a carefully crafted message that will crash
the Konversation user client.


Workaround
==========
Go to Interface → Colors in the Configure Konversation dialog and
uncheck Allow Colored Text in IRC Messages (near the bottom)

Solution
========
Update to Konversation > 1.7.2

Or apply the following patches:
1.7:
https://cgit.kde.org/konversation.git/commit/?h=1.7&id=34cc9556c1a089fac6b674d3bd6f2248e9512902
1.6:
https://cgit.kde.org/konversation.git/commit/?h=1.6&id=cebf8d7658b0e3afb0292c273704ec4d2ea4019f
1.5:
https://cgit.kde.org/konversation.git/commit/?h=1.5&id=6a7f59ee1b9dbc6e5cf9e5f3b306504d02b73ef0
1.4: the patch for 1.5 will apply, but you should upgrade

Credits
=======
Thanks to Joseph Bisch for the report and to Eli MacKenzie for the fix.

--
kubuntu-devel mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel