Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 4 Oct 2020 05:49:10 +0000 (UTC)
From:      "Tobias C. Berner" <tcberner@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r551354 - head/security/vuxml
Message-ID:  <202010040549.0945nAXP039031@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: tcberner
Date: Sun Oct  4 05:49:09 2020
New Revision: 551354
URL: https://svnweb.freebsd.org/changeset/ports/551354

Log:
  vuxml: document deskutils/kdeconnect-kde vulnerability
  
  KDE Project Security Advisory
  =============================
  
  Title:           KDE Connect: packet manipulation can be exploited in a Denial of Service attack
  Risk Rating:     Important
  CVE:             CVE-2020-26164
  Versions:        kdeconnect <= 20.08.1
  Author:          Albert Vaca Cintora <albertvaka@gmail.com>
  Date:            2 October 2020
  
  Overview
  ========
  
  An attacker on your local network could send maliciously crafted packets to other hosts running
  kdeconnect on the network, causing them to use large amounts of CPU, memory or network
  connections, which could be used in a Denial of Service attack within the network.
  
  Impact
  ======
  
  Computers that run kdeconnect are susceptible to DoS attacks from the local network.
  
  Workaround
  ==========
  
  We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences.
  
  Since kdeconnect is dbus activated it is relatively hard to make sure it stays stopped so the brute
  force approach is to uninstall the kdeconnect package from your system and then run
      kquitapp5 kdeconnectd
  Just install the package again once you're back in a trusted network.
  
  Solution
  ========
  
  KDE Connect 20.08.2 patches several code paths that could result in a DoS.
  You can apply these patches on top of 20.08.1:
  https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163
  https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa
  https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc
  https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38
  https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e
  https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5
  https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706
  https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a
  https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05
  https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306
  
  Credits
  =======
  
  Thanks Matthias Gerstner and the openSUSE security team for reporting the issue.
  Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the patches.
  
  Security:	CVE-2020-26164

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Oct  4 05:47:55 2020	(r551353)
+++ head/security/vuxml/vuln.xml	Sun Oct  4 05:49:09 2020	(r551354)
@@ -58,6 +58,137 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="c71ed065-0600-11eb-8758-e0d55e2a8bf9">
+    <topic>kdeconnect -- packet manipulation can be exploited in a Denial of Service attack</topic>
+    <affects>
+      <package>
+	<name>kdeconnect-kde</name>
+	<range><lt>20.08.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Albert Astals Cid  reports:</p>
+	<blockquote cite="https://kde.org/info/security/advisory-20201002-1.txt">;
+	  <h3>KDE Project Security Advisory</h3>
+	  <table>
+	    <tr>
+	      <td>Title</td>
+	      <td>KDE Connect: packet manipulation can be exploited in a Denial of Service attack</td>
+	    </tr>
+	    <tr>
+	      <td>Risk Rating</td>
+	      <td>Important</td>
+	    </tr>
+	    <tr>
+	      <td>CVE</td>
+	      <td>CVE-2020-26164</td>
+	    </tr>
+	    <tr>
+	      <td>Versions</td>
+	      <td>kdeconnect &lt;= 20.08.1</td>
+	    </tr>
+	    <tr>
+	      <td>Author</td>
+	      <td>Albert Vaca Cintora &lt;albertvaka@gmail.com&gt;</td>
+	    </tr>
+	    <tr>
+	      <td>Date</td>
+	      <td>2 October 2020</td>
+	    </tr>
+	  </table>
+	  <h3>Overview</h3>
+	    <p>
+	      An attacker on your local network could send maliciously crafted
+	      packets to other hosts running kdeconnect on the network, causing
+	      them to use large amounts of CPU, memory or network connections,
+	      which could be used in a Denial of Service attack within the
+	      network.
+	    </p>
+
+	  <h3>Impact</h3>
+	    <p>
+	      Computers that run kdeconnect are susceptible to DoS attacks from
+	      the local network.
+	    </p>
+
+	  <h3>Workaround</h3>
+	    <p>
+	      We advise you to stop KDE Connect when on untrusted networks like
+	      those on airports or conferences.
+	    </p>
+	    <p>
+	      Since kdeconnect is dbus activated it is relatively hard to make
+	      sure it stays stopped so the brute force approach is to uninstall
+	      the kdeconnect package from your system and then run
+	    </p>
+	  <pre>
+	      kquitapp5 kdeconnectd
+	  </pre>
+	  <p>
+	    Just install the package again once you're back in a trusted
+	    network.
+	  </p>
+	  <h3>Solution</h3>
+	  <p>
+	    KDE Connect 20.08.2 patches several code paths that could result
+	    in a DoS.
+	  </p>
+	  <p>You can apply these patches on top of 20.08.1:</p>
+	  <ul>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163
+	    </li>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa
+	    </li>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc
+	    </li>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38
+	    </li>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e
+	    </li>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5
+	    </li>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706
+	    </li>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a
+	    </li>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05
+	    </li>
+	    <li>
+	      https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306
+	    </li>
+	  </ul>
+	  <h3>Credits</h3>
+	  <p>
+	    Thanks Matthias Gerstner and the openSUSE security team for
+	    reporting the issue.
+	  </p>
+	  <p>
+	    Thanks to Aleix Pol, Nicolas Fella and Albert Vaca Cintora for the
+	    patches.
+	  </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://kde.org/info/security/advisory-20201002-1.txt</url>;
+      <cvename>CVE-2020-26164</cvename>
+    </references>
+    <dates>
+      <discovery>2020-10-02</discovery>
+      <entry>2020-10-04</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="a23871f6-059b-11eb-8758-e0d55e2a8bf9">
     <topic>upnp -- denial of service (crash)</topic>
     <affects>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010040549.0945nAXP039031>