Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: General :: lnx5897.htm

KDE local and remote command execution
23th Dec 2002 [SBWID-5897]

	KDE local and remote command execution


	All KDE 2 releases and all KDE 3  releases  (up  to  and  including  KDE


	In KDE Security Advisory,  thanks  to  FozZy  of  the  "Hackademy  Audit
	Project" :
	In  some  instances  KDE  fails  to   properly   quote   parameters   of
	instructions passed to a command shell for execution.
	These parameters may  incorporate  data  such  as  URLs,  filenames  and
	e-mail addresses, and this data may be provided remotely to a victim  in
	an e-mail,  a  webpage  or  files  on  a  network  filesystem  or  other
	untrusted source.
	By carefully crafting such data an attacker might  be  able  to  execute
	arbitary commands on a vulnerable sytem using the victim's  account  and
	 Update (24 December 2002)
	Florian Weimer [Weimer@CERT.Uni-Stuttgart.DE] adds :
	another set of problems related to the command line processing  remains:
	At laest in
	a user-supplied password is passed on the command line to a  subprocess.
	The command line is a resource readable by all local users,  and  so  is
	the environment (which the KDE developers  used  after  they  were  told
	about the problem).
	Of course, this problem isn't relevant in most situations (it's  only  a
	problem in  rough  multi-user  environments).  The  other  command  line
	processing bugs are much more severe.


	The code audit resulted in several fixes which have been applied to  the
	KDE 2.2.x and each KDE 3.x branch.
	All identified problems have been corrected in KDE 3.0.5a. For  affected
	KDE 3.0 systems, we strongly recommend upgrading to this  latest  stable
	KDE 3.0.5a can be downloaded from
	Please visit the 3.0.5a Info Page  (
	and your vendor's website for exact package  locations  and  information
	about available binary packages or updates.
	For affected KDE 2 systems, a patch for the 2.2.2 source code  has  been
	made available  which  fixes  these  vulnerabilities.  Contact  your  OS
	vendor / binary package provider for information  about  how  to  obtain
	updated binary packages.
	Patches are available for KDE 2.2.2 from the KDE FTP server :
	MD5SUM                            PATCH
	522331e2b47f84956eb2df1fcf89ba17  post-2.2.2-kdebase.diff
	0dbd747882b942465646efe0ba6af802  post-2.2.2-kdegames.diff
	4b9c93acd452d1de2f4f0bca5b05593f  post-2.2.2-kdegraphics.diff
	93a12594d0fb48c7b50bfd4a10a9935d  post-2.2.2-kdelibs.diff
	d1d25b39ee98e340ac3730f7afe54f0c  post-2.2.2-kdemultimedia.diff
	59ac7be4995bed8b119a4e5882e54cff  post-2.2.2-kdenetwork.diff
	0a3ae9eeeceefb2f631a26ec787663a9  post-2.2.2-kdepim.diff
	690c7fdab1bbc743eafac9b06997a03b  post-2.2.2-kdesdk.diff
	8174e328f47e18a8a52b13b34f5c54e5  post-2.2.2-kdeutils.diff

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH