Date: 24 January 2003
References: ESB-2003.0051 ESB-2003.0060
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0050 -- KDE Security Advisory
Multiple vulnerabilities in KDE
24 January 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kdebase
kdegames
kdegraphics
kdelibs
kdemultimedia
kdenetwork
kdepim
kdesdk
kdeutils
Vendor: KDE
Operating System: Linux
UNIX
Impact: Execute Arbitrary Code/Commands
Access Confidential Data
Access Required: Remote
Comment: CVE Id: CAN-2002-1393
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
KDE Security Advisory: Multiple vulnerabilities in KDE
Original Release Date: 2002-12-20
URL: http://www.kde.org/info/security/advisory-20021220-1.txt
0. References
None.
1. Systems affected:
All KDE 2 releases and all KDE 3 releases (up to and including
KDE 3.0.5).
2. Overview:
In some instances KDE fails to properly quote parameters of
instructions passed to a command shell for execution.
These parameters may incorporate data such as URLs, filenames and
e-mail addresses, and this data may be provided remotely to a victim
in an e-mail, a webpage or files on a network filesystem or other
untrusted source.
By carefully crafting such data an attacker might be able to
execute arbitary commands on a vulnerable sytem using the victim's
account and privileges.
The KDE Project is aware of several possible ways to exploit these
vulnerabilities and is releasing this advisory with patches to
correct the issues. The patches also provide better safe guards and
check data from untrusted sources more strictly in multiple places.
3. Impact:
The vulnerabilities potentially enable local or remote attackers
to compromise the privacy of a vicitim's data and to execute arbitrary
shell commands with the victim's privileges, such as erasing files or
accessing or modifying data.
4. Solution:
The code audit resulted in several fixes which have been applied
to the KDE 2.2.x and each KDE 3.x branch.
All identified problems have been corrected in KDE 3.0.5a.
For affected KDE 3.0 systems, we strongly recommend upgrading
to this latest stable release.
KDE 3.0.5a can be downloaded from
http://download.kde.org/stable/3.0.5a/
Please visit the 3.0.5a Info Page (http://www.kde.org/info/3.0.5a.html)
and your vendor's website for exact package locations and information
about available binary packages or updates.
For affected KDE 2 systems, a patch for the 2.2.2 source code has
been made available which fixes these vulnerabilities. Contact your
OS vendor / binary package provider for information about how to
obtain updated binary packages.
5. Patches:
Patches are available for KDE 2.2.2 from the KDE FTP server
(ftp://ftp.kde.org/pub/kde/security_patches/):
MD5SUM PATCH
522331e2b47f84956eb2df1fcf89ba17 post-2.2.2-kdebase.diff
0dbd747882b942465646efe0ba6af802 post-2.2.2-kdegames.diff
4b9c93acd452d1de2f4f0bca5b05593f post-2.2.2-kdegraphics.diff
93a12594d0fb48c7b50bfd4a10a9935d post-2.2.2-kdelibs.diff
d1d25b39ee98e340ac3730f7afe54f0c post-2.2.2-kdemultimedia.diff
59ac7be4995bed8b119a4e5882e54cff post-2.2.2-kdenetwork.diff
0a3ae9eeeceefb2f631a26ec787663a9 post-2.2.2-kdepim.diff
690c7fdab1bbc743eafac9b06997a03b post-2.2.2-kdesdk.diff
8174e328f47e18a8a52b13b34f5c54e5 post-2.2.2-kdeutils.diff
6. Timeline and credits:
11/26/2002 FozZy of the "Hackademy Audit Project"
notified the KDE Security Team
<security@kde.org> about vulnerable code parts.
11/27/2002 Patches for the initially reported vulnerabilites
were applied to KDE CVS.
11/27/2002 An audit of KDE CVS was started to find more instances
of the problematic code sequences.
12/06/2002 KDE 3.1 release was delayed because the audit was not
yet finished.
12/17/2002 Patches for KDE 2.2.2 were created.
12/20/2002 KDE 3.0.5a tarballs were generated and released.
12/21/2002 Public Security Advisory by the KDE Security team.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+BzSTN4pvrENfboIRAgpPAKCHMIqVS6EdiV1Ey/Wm2UhJzkofIQCeNtij
4sEmwy6dEglDtlLgF6ldsMY=
=HLBc
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPjFQFSh9+71yA2DNAQExIwP+JlWesAGz3t5hu2+JXpW2DN0SLqnoDolu
MeiNyBCOhiQjCACVT8x7TF33Pm9Ucu1JuMizMohQZ2UcJqgR8DVK6TTGGwzO4WL7
Q2LLhIX/jmuLuDHIvtll5WnT8Z9meC7S516orVb+WQf6hf7Cka66lY8+3t5I7wmc
oA/jjVsCHVU=
=O+Z3
-----END PGP SIGNATURE-----
|