Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: a6136.htm

KDE arbitrary code execution using ghostscript



11th Apr 2003 [SBWID-6136]
COMMAND

	KDE arbitrary code execution using ghostscript

SYSTEMS AFFECTED

	 versions 3.1.x prior to 3.1.1a 
	 versions prior to 3.0.5b
	

PROBLEM

	In                 KDE                 Security                 Advisory
	[http://www.kde.org/info/security/advisory-20030409-1.txt]:
	
	
	KDE uses Ghostscript software for processing of PostScript (PS) and  PDF
	files in a way that allows for the execution of arbitrary commands  that
	can be contained in such files.
	
	An attacker can prepare a malicious PostScript or PDF  file  which  will
	provide the attacker with access to the victim's account and  privileges
	when the victim opens this  malicious  file  for  viewing  or  when  the
	victim browses a directory containing such malicious file and  has  file
	previews enabled.
	
	An attacker can provide malicious files  remotely  to  a  victim  in  an
	e-mail, as part of a webpage, via  an  ftp  server  and  possible  other
	means.
	
	The vulnerabilities potentially enable  local  or  remote  attackers  to
	compromise the privacy of a vicitim's  data  and  to  execute  arbitrary
	shell commands with the victim's privileges, such as  erasing  files  or
	accessing or modifying data.

SOLUTION

	Upgrade to latest version.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH