|
Vulnerability kdesu Affected KDE Description Following is based on a Caldera Systems Security Advisory. KDE2 comes with a program called kdesu that is used to run certain administration commands under the account of the super user (for instance, every time the KDE control center asks you for the root password, you actually talk to kdesu). There is a bug in kdesu that allows any user on the system to steal the passwords you enter at the kdesu prompt. Solution There is no real workaround for this bug, and the following is _not_ a permanent solution to the problem; this is merely a temporary solution until you have installed the update. As the super user, create directories in /tmp that have the same name as the socket used by kdesu: mkdir /tmp/kdesud_UID_0 where UID ranges over all user IDs of users on your system. Note that the trailing 0 is the display number, so if you run several X servers on your machine, you need to repeat the process for display 1, 2, etc. In order to protect just yourself, the following will do the trick: mkdir /tmp/kdesud_`id -u`_0 The proper solution is to upgrade to the fixed packages: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS SRPMS/kdebase2-2.0-6.src.rpm RPMS/kdebase2-2.0-6.i386.rpm RPMS/kdebase2-opengl-2.0-6.i386.rpm SRPMS/kdelibs2-2.0-6.src.rpm RPMS/kdelibs2-2.0-6.i386.rpm RPMS/kdelibs2-devel-2.0-6.i386.rpm RPMS/kdelibs2-devel-static-2.0-6.i386.rpm RPMS/kdelibs2-doc-2.0-6.i386.rpm For SuSE: ftp://ftp.suse.com/pub/suse/i386/update/6.1/kpa1/kdesu-0.98-187.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/kpa1/kdesu-0.98-187.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/kpa1/kdesu-0.98-187.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/kpa1/kdesu-0.98-187.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/kpa1/kdesu-0.98-187.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.1/kpa1/kdesu-0.98-187.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.1/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/kpa1/kdesu-0.98-187.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/kpa1/kdesu-0.98-187.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/axp/update/7.0/kpa1/kdesu-0.98-187.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/7.0/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/kpa1/kdesu-0.98-187.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/kdesu-0.98-187.src.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/kpa1/kdesu-0.98-187.ppc.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/kpa1/kdesu.rpm ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/kdesu-0.98-187.src.rpm For Conectiva Linux: ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/kdelibs-2.01-6cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/kdebase-2.01-4cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kdebase-2.01-4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kdebase-devel-2.01-4cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kdelibs-2.01-6cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/kdelibs-devel-2.01-6cl.i386.rpm For Linux-Mandrake: Linux-Mandrake 6.1: 6.1/RPMS/kdesu-0.97-1.1mdk.i586.rpm 6.1/SRPMS/kdesu-0.97-1.1mdk.src.rpm Linux-Mandrake 7.0: 7.0/RPMS/kcmkdesu-0.98-14.1mdk.i586.rpm 7.0/RPMS/kdesu-0.98-14.1mdk.i586.rpm 7.0/SRPMS/kdesu-0.98-14.1mdk.src.rpm Linux-Mandrake 7.1: 7.1/RPMS/kcmkdesu-0.98-14.1mdk.i586.rpm 7.1/RPMS/kdesu-0.98-14.1mdk.i586.rpm 7.1/SRPMS/kdesu-0.98-14.1mdk.src.rpm Linux-Mandrake 7.2: 7.2/RPMS/kdebase-2.0.1-1mdk.i586.rpm 7.2/RPMS/kdebase-devel-2.0.1-1mdk.i586.rpm 7.2/RPMS/kdelibs-2.0.1-2mdk.i586.rpm 7.2/RPMS/kdelibs-devel-2.0.1-2mdk.i586.rpm 7.2/SRPMS/kdebase-2.0.1-1mdk.src.rpm 7.2/SRPMS/kdelibs-2.0.1-2mdk.src.rpm Corporate Server 1.0.1: 1.0.1/RPMS/kcmkdesu-0.98-14.1mdk.i586.rpm 1.0.1/RPMS/kdesu-0.98-14.1mdk.i586.rpm 1.0.1/SRPMS/kdesu-0.98-14.1mdk.src.rpm