Fwd: KDE Project Security Advisory: Konversation: Crash in IRC message parsing

Simon Quigley tsimonq2 at kubuntu.org
Sun Nov 12 21:40:50 UTC 2017


Fixes for all supported (affected) releases (Trusty-Artful) of Kubuntu
are in ppa:tsimonq2/security-builds and fixes for the packages in
Backports are in ppa:kubuntu-ppa/backports-landing. If you use
Konversation, please test these packages to make sure they work, and
report back by either pinging me on IRC (tsimonq2 in #kubuntu-devel on
freenode) or replying to this email.

If nobody reports back for any specific release, on Tuesday afternoon
(USA time), I'll test the updates myself (and push them and see if the
security team can push the ones from my PPA into the archive), but I
would prefer if people who already have experience with Konversation
would test these packages.

Thanks!

-------- Forwarded Message --------
Subject: KDE Project Security Advisory: Konversation: Crash in IRC
message parsing
Date: Sun, 12 Nov 2017 12:18:05 +0100
From: Albert Astals Cid <aacid at kde.org>
To: kde-announce at kde.org

KDE Project Security Advisory
=============================

Title:          Konversation: Crash in IRC message parsing
Risk Rating:    High
CVE:            CVE-2017-15923
Versions:       konversation <= 1.7.2
Date:           12 November 2017


Overview
========
Konversation has support for colors in IRC messages. Any malicious user
connected to the
same IRC network can send a carefully crafted message that will crash
the Konversation user client.


Workaround
==========
Go to Interface → Colors in the Configure Konversation dialog and
uncheck Allow Colored Text in IRC Messages (near the bottom)

Solution
========
Update to Konversation > 1.7.2

Or apply the following patches:
1.7:
https://cgit.kde.org/konversation.git/commit/?h=1.7&id=34cc9556c1a089fac6b674d3bd6f2248e9512902
1.6:
https://cgit.kde.org/konversation.git/commit/?h=1.6&id=cebf8d7658b0e3afb0292c273704ec4d2ea4019f
1.5:
https://cgit.kde.org/konversation.git/commit/?h=1.5&id=6a7f59ee1b9dbc6e5cf9e5f3b306504d02b73ef0
1.4: the patch for 1.5 will apply, but you should upgrade

Credits
=======
Thanks to Joseph Bisch for the report and to Eli MacKenzie for the fix.



More information about the kubuntu-devel mailing list