COMMAND

	KDE quoted shell command can be remotely exploited

SYSTEMS AFFECTED

	KDE 2.x up to and including KDE 3.0.5

PROBLEM

	In Mandrake Linux Security Team  [security@linux-mandrake.com]  advisory
	[MDKSA-2003:004] :
	
	KDE fails to properly quote parameters of  instructions  passed  to  the
	shell  for  execution.  These  parameters  may  contain  data  such   as
	filenames, URLs, email address, and so forth; this data may be  provided
	remotely  to  a  victim  via  email,  web  pages,  files  on  a  network
	filesystem, or other untrusted sources.
	 
	It is possible for arbitrary command execution on  a  vulnerable  system
	with the privileges of the victim's account.

SOLUTION

	Get version 3.0.5a, see
	
	 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1393
	 http://www.kde.org/info/security/advisory-20021220-1.txt