Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: General :: lnx5897.htm

KDE local and remote command execution



23th Dec 2002 [SBWID-5897]
COMMAND

	KDE local and remote command execution

SYSTEMS AFFECTED

	All KDE 2 releases and all KDE 3  releases  (up  to  and  including  KDE
	3.0.5).

PROBLEM

	In KDE Security Advisory,  thanks  to  FozZy  of  the  "Hackademy  Audit
	Project" :
	
	 http://www.kde.org/info/security/advisory-20021220-1.txt
	
	
	In  some  instances  KDE  fails  to   properly   quote   parameters   of
	instructions passed to a command shell for execution.
	
	These parameters may  incorporate  data  such  as  URLs,  filenames  and
	e-mail addresses, and this data may be provided remotely to a victim  in
	an e-mail,  a  webpage  or  files  on  a  network  filesystem  or  other
	untrusted source.
	
	By carefully crafting such data an attacker might  be  able  to  execute
	arbitary commands on a vulnerable sytem using the victim's  account  and
	privileges.
	
	 Update (24 December 2002)
	 ======
	
	Florian Weimer [Weimer@CERT.Uni-Stuttgart.DE] adds :
	
	another set of problems related to the command line processing  remains:
	At laest in
	
	 kdelibs/kdeprint/management/smbview.cpp, 
	
	a user-supplied password is passed on the command line to a  subprocess.
	The command line is a resource readable by all local users,  and  so  is
	the environment (which the KDE developers  used  after  they  were  told
	about the problem).
	
	Of course, this problem isn't relevant in most situations (it's  only  a
	problem in  rough  multi-user  environments).  The  other  command  line
	processing bugs are much more severe.

SOLUTION

	The code audit resulted in several fixes which have been applied to  the
	KDE 2.2.x and each KDE 3.x branch.
	
	All identified problems have been corrected in KDE 3.0.5a. For  affected
	KDE 3.0 systems, we strongly recommend upgrading to this  latest  stable
	release.
	
	KDE 3.0.5a can be downloaded from
	
	http://download.kde.org/stable/3.0.5a/
	
	Please visit the 3.0.5a Info Page  (http://www.kde.org/info/3.0.5a.html)
	and your vendor's website for exact package  locations  and  information
	about available binary packages or updates.
	
	For affected KDE 2 systems, a patch for the 2.2.2 source code  has  been
	made available  which  fixes  these  vulnerabilities.  Contact  your  OS
	vendor / binary package provider for information  about  how  to  obtain
	updated binary packages.
	
	
	 Patches:
	 ========
	Patches are available for KDE 2.2.2 from the KDE FTP server
	
	 ftp://ftp.kde.org/pub/kde/security_patches/ :
	
	MD5SUM                            PATCH
	
	522331e2b47f84956eb2df1fcf89ba17  post-2.2.2-kdebase.diff
	0dbd747882b942465646efe0ba6af802  post-2.2.2-kdegames.diff
	4b9c93acd452d1de2f4f0bca5b05593f  post-2.2.2-kdegraphics.diff
	93a12594d0fb48c7b50bfd4a10a9935d  post-2.2.2-kdelibs.diff
	d1d25b39ee98e340ac3730f7afe54f0c  post-2.2.2-kdemultimedia.diff
	59ac7be4995bed8b119a4e5882e54cff  post-2.2.2-kdenetwork.diff
	0a3ae9eeeceefb2f631a26ec787663a9  post-2.2.2-kdepim.diff
	690c7fdab1bbc743eafac9b06997a03b  post-2.2.2-kdesdk.diff
	8174e328f47e18a8a52b13b34f5c54e5  post-2.2.2-kdeutils.diff
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH