aboutcode-org
diff --git a/‎vulnerabilities/importers/__init__.py‎
Lines changed: 2 additions & 0 deletions b/‎vulnerabilities/importers/__init__.py‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎vulnerabilities/pipelines/v2_importers/kde_importer.py‎
Lines changed: 217 additions & 0 deletions b/‎vulnerabilities/pipelines/v2_importers/kde_importer.py‎
Lines changed: 217 additions & 0 deletions
diff --git a/‎vulnerabilities/tests/test_data/kde/advisory-20030916-1.txt‎
Lines changed: 69 additions & 0 deletions b/‎vulnerabilities/tests/test_data/kde/advisory-20030916-1.txt‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎vulnerabilities/tests/test_data/kde/advisory-20170510-1.txt‎
Lines changed: 31 additions & 0 deletions b/‎vulnerabilities/tests/test_data/kde/advisory-20170510-1.txt‎
Lines changed: 31 additions & 0 deletions
@@ -58,6 +58,7 @@
 from vulnerabilities.pipelines.v2_importers import github_osv_importer as github_osv_importer_v2
 from vulnerabilities.pipelines.v2_importers import gitlab_importer as gitlab_importer_v2
 from vulnerabilities.pipelines.v2_importers import istio_importer as istio_importer_v2
+from vulnerabilities.pipelines.v2_importers import kde_importer as kde_importer_v2
 from vulnerabilities.pipelines.v2_importers import mattermost_importer as mattermost_importer_v2
 from vulnerabilities.pipelines.v2_importers import mozilla_importer as mozilla_importer_v2
 from vulnerabilities.pipelines.v2_importers import nginx_importer as nginx_importer_v2
@@ -99,6 +100,7 @@
         curl_importer_v2.CurlImporterPipeline,
         oss_fuzz_v2.OSSFuzzImporterPipeline,
         istio_importer_v2.IstioImporterPipeline,
+        kde_importer_v2.KDEImporterPipeline,
         postgresql_importer_v2.PostgreSQLImporterPipeline,
         mozilla_importer_v2.MozillaImporterPipeline,
         github_osv_importer_v2.GithubOSVImporterPipeline,
 
@@ -0,0 +1,217 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/aboutcode-org/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+import logging
+import re
+from datetime import datetime
+from datetime import timezone
+from typing import Iterable
+from typing import List
+from typing import Optional
+
+from bs4 import BeautifulSoup
+
+from vulnerabilities.importer import AdvisoryDataV2
+from vulnerabilities.importer import ReferenceV2
+from vulnerabilities.importer import VulnerabilitySeverity
+from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
+from vulnerabilities.severity_systems import SCORING_SYSTEMS
+from vulnerabilities.utils import fetch_response
+
+logger = logging.getLogger(__name__)
+
+KDE_SECURITY_URL = "https://kde.org/info/security/"
+
+
+class KDEImporterPipeline(VulnerableCodeBaseImporterPipelineV2):
+    """Importer for KDE security advisories."""
+
+    pipeline_id = "kde_importer"
+    spdx_license_expression = "CC-BY-SA-4.0"
+    license_url = "https://kde.org/info/security/"
+    repo_url = "https://kde.org/info/security/"
+
+    precedence = 200
+
+    _cached_advisory_urls = None
+
+    @classmethod
+    def steps(cls):
+        return (cls.collect_and_store_advisories,)
+
+    def get_advisory_urls(self) -> List[str]:
+        if self._cached_advisory_urls is not None:
+            return self._cached_advisory_urls
+
+        try:
+            response = fetch_response(KDE_SECURITY_URL)
+            html = response.text
+        except Exception as e:
+            logger.error(f"Failed to fetch KDE security page: {e}")
+            return []
+
+        soup = BeautifulSoup(html, "lxml")
+        advisory_urls = []
+
+        for link in soup.find_all("a", href=True):
+            href = link["href"]
+            if "advisory-" in href and href.endswith(".txt"):
+                if href.startswith("http"):
+                    advisory_urls.append(href)
+                else:
+                    advisory_urls.append(f"https://kde.org{href}")
+
+        self._cached_advisory_urls = advisory_urls
+        return advisory_urls
+
+    def advisories_count(self) -> int:
+        return len(self.get_advisory_urls())
+
+    def collect_advisories(self) -> Iterable[AdvisoryDataV2]:
+        for url in self.get_advisory_urls():
+            try:
+                response = fetch_response(url)
+                advisory = parse_kde_advisory(response.text, url)
+                if advisory:
+                    yield advisory
+            except Exception as e:
+                logger.error(f"Failed to parse advisory {url}: {e}")
+                continue
+
+
+def parse_kde_advisory(advisory_text: str, url: str) -> Optional[AdvisoryDataV2]:
+    """Parse a KDE security advisory and return an AdvisoryDataV2."""
+    if not advisory_text:
+        return None
+
+    title = extract_field(advisory_text, "Title")
+    risk_rating = extract_field(advisory_text, "Risk Rating")
+    cve = extract_field(advisory_text, "CVE")
+    date_str = extract_field(advisory_text, "Date")
+
+    summary = extract_section(advisory_text, "Overview")
+
+    advisory_id = generate_advisory_id(url, cve)
+    if not advisory_id:
+        logger.warning(f"Could not generate advisory ID for {url}")
+        return None
+
+    aliases = parse_cve_ids(cve)
+    if advisory_id in aliases:
+        aliases.remove(advisory_id)
+
+    date_published = parse_date(date_str)
+
+    references = [ReferenceV2(url=url)]
+    for cve_id in aliases:
+        references.append(
+            ReferenceV2(
+                reference_id=cve_id,
+                url=f"https://cve.mitre.org/cgi-bin/cvename.cgi?name={cve_id}",
+            )
+        )
+
+    severities = []
+    if risk_rating:
+        severities.append(
+            VulnerabilitySeverity(
+                system=SCORING_SYSTEMS["generic_textual"],
+                value=risk_rating.strip(),
+                url=url,
+            )
+        )
+
+    return AdvisoryDataV2(
+        advisory_id=advisory_id,
+        aliases=aliases,
+        summary=summary or "",
+        references=references,
+        date_published=date_published,
+        severities=severities,
+        url=url,
+        original_advisory_text=advisory_text,
+    )
+
+
+def extract_field(text: str, field_name: str) -> Optional[str]:
+    """Extract a field value like 'Title: value' from advisory text."""
+    pattern = rf"^{re.escape(field_name)}:\s*(.+?)$"
+    match = re.search(pattern, text, re.MULTILINE | re.IGNORECASE)
+    if match:
+        return match.group(1).strip()
+    return None
+
+
+def extract_section(text: str, section_name: str) -> Optional[str]:
+    """Extract a section like 'Overview\n========\ncontent' from advisory text."""
+    pattern = rf"{re.escape(section_name)}\s*\n=+\s*\n(.*?)(?=\n\w+[^\n]*\n=+|\Z)"
+    match = re.search(pattern, text, re.DOTALL | re.IGNORECASE)
+    if match:
+        content = match.group(1).strip()
+        content = re.sub(r"\n\s*\n", "\n\n", content)
+        return content
+    return None
+
+
+def generate_advisory_id(url: str, cve: Optional[str]) -> Optional[str]:
+    """Generate advisory ID from URL (advisory-YYYYMMDD-N.txt) or fall back to CVE."""
+    match = re.search(r"advisory-(\d{8})-(\d+)\.txt", url)
+    if match:
+        return f"KDE-SA-{match.group(1)}-{match.group(2)}"
+
+    cve_ids = parse_cve_ids(cve)
+    if cve_ids:
+        return cve_ids[0]
+
+    return None
+
+
+def parse_cve_ids(cve_field: Optional[str]) -> List[str]:
+    """Parse CVE IDs from field, including old CAN- format."""
+    if not cve_field:
+        return []
+
+    cve_pattern = r"(CVE-\d{4}-\d+|CAN-\d{4}-\d+)"
+    matches = re.findall(cve_pattern, cve_field, re.IGNORECASE)
+    return [m.upper().replace("CAN-", "CVE-") for m in matches]
+
+
+def parse_date(date_str: Optional[str]) -> Optional[datetime]:
+    """Parse date from various formats used in KDE advisories."""
+    if not date_str:
+        return None
+
+    date_str = date_str.strip()
+
+    formats = [
+        "%Y-%m-%d",
+        "%d %B %Y",
+        "%d/%m/%Y",
+        "%B %d, %Y",
+        "%d %b %Y",
+    ]
+
+    for fmt in formats:
+        try:
+            dt = datetime.strptime(date_str, fmt)
+            return dt.replace(tzinfo=timezone.utc)
+        except ValueError:
+            continue
+
+    try:
+        from dateutil import parser as dateparser
+
+        dt = dateparser.parse(date_str)
+        if dt:
+            return dt.replace(tzinfo=timezone.utc)
+    except Exception:
+        pass
+
+    logger.warning(f"Could not parse date: {date_str}")
+    return None
@@ -0,0 +1,69 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+
+KDE Security Advisory: KDM vulnerabilities
+Original Release Date: 2003-09-16
+URL: http://www.kde.org/info/security/advisory-20030916-1.txt
+
+0. References
+       http://cert.uni-stuttgart.de/archive/suse/security/2002/12/msg00101.html
+       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0690
+       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0692
+
+
+1. Systems affected:
+
+        All versions of KDM as distributed with KDE up to and including 
+        KDE 3.1.3.
+
+
+2. Overview:
+
+        Two issues have been discovered in KDM:
+
+            a) CAN-2003-0690:
+               Privilege escalation with specific PAM modules
+            b) CAN-2003-0692:
+               Session cookies generated by KDM are potentially insecure
+
+
+3. Impact:
+
+        If KDM is used in combination with the MIT pam_krb5 module and given
+        a valid username and password of an existing user, the login attempt
+        succeeds and establishes a session with excessive privileges. This
+        may enable a local root compromise of the system. 
+
+        It is possible that the same vulnerability exists if KDM is used 
+        with other PAM modules. At the date of this advisory we are however
+        not aware of any other PAM module being affected by this
+        vulnerability.
+
+        The weak cookie generation may allow non-authorized users to guess
+        the session cookie by a brute force attack, which allows, assuming
+        hostname / IP restrictions can be bypassed, to authorize to the running
+        session and gain full access to it. 
+
+
+4. Solution:
+
+        A patch for KDE 3.1.3 is available from
+        ftp://ftp.kde.org/pub/kde/security_patches : 
+
+        8553c20798b321e333d8c516636f2297  post-3.1.3-kdebase-kdm.patch
+
+
+5. Credits:
+
+        Thanks to the KDE Security Team for handling this issue.
+
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
+
+iD8DBQE/Z1fBvsXr+iuy1UoRAi02AJ90TqHxCeqzqGJrN3jS7mRSd9u5xQCg6/Do
+LB3tubiwfy8TUy5rL7B8UFY=
+=2tbX
+-----END PGP SIGNATURE-----
@@ -0,0 +1,31 @@
+KDE Project Security Advisory
+=============================
+
+Title:          kauth: Local privilege escalation
+Risk Rating:    High
+CVE:            CVE-2017-8422
+Versions:       kauth < 5.34, kdelibs < 4.14.32
+Date:           10 May 2017
+
+
+Overview
+========
+KAuth contains a logic flaw in which the service invoking dbus
+is not properly checked.
+
+This allows spoofing the identity of the caller and with some
+carefully crafted calls can lead to gaining root from an
+unprivileged account.
+
+Solution
+========
+Update to kauth >= 5.34 and kdelibs >= 4.14.32 (when released)
+
+Or apply the following patches:
+  kauth: https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a
+  kdelibs: https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab
+
+Credits
+=======
+Thanks to Sebastian Krahmer from SUSE for the report and
+to Albert Astals Cid from KDE for the fix.