[gentoo-announce] [ GLSA 200408-13 ] kdebase, kdelibs: Multiple security issues - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200408-13 ] kdebase, kdelibs: Multiple security issues
Date:	Thu, 12 Aug 2004 21:16:15
Message-Id:	`200408122308.50861.jaervosz@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200408-13

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: Normal

11

     Title: kdebase, kdelibs: Multiple security issues

12

      Date: August 12, 2004

13

      Bugs: #60068

14

        ID: 200408-13

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

KDE contains three security issues that can allow an attacker to

22

compromise system accounts, cause a Denial of Service, or spoof

23

websites via frame injection.

24

25

Background

26

==========

27

28

KDE is a powerful Free Software graphical desktop environment for Linux

29

and Unix-like Operating Systems.

30

31

Affected packages

32

=================

33

34

    -------------------------------------------------------------------

35

     Package           /  Vulnerable  /                     Unaffected

36

    -------------------------------------------------------------------

37

  1  kde-base/kdebase     < 3.2.3-r1                       >= 3.2.3-r1

38

  2  kde-base/kdelibs     < 3.2.3-r1                       >= 3.2.3-r1

39

    -------------------------------------------------------------------

40

     2 affected packages on all of their supported architectures.

41

    -------------------------------------------------------------------

42

43

Description

44

===========

45

46

KDE contains three security issues:

47

48

* Insecure handling of temporary files when running KDE applications

49

  outside of the KDE environment

50

51

* DCOPServer creates temporary files in an insecure manner

52

53

* The Konqueror browser allows websites to load webpages into a

54

  target frame of any other open frame-based webpage

55

56

Impact

57

======

58

59

An attacker could exploit these vulnerabilities to create or overwrite

60

files with the permissions of another user, compromise the account of

61

users running a KDE application and insert arbitrary frames into an

62

otherwise trusted webpage.

63

64

Workaround

65

==========

66

67

There is no known workaround at this time. All users are encouraged to

68

upgrade to the latest available version of kdebase.

69

70

Resolution

71

==========

72

73

All KDE users should upgrade to the latest versions of kdelibs and

74

kdebase:

75

76

    # emerge sync

77

78

    # emerge -pv ">=kde-base/kdebase-3.2.3-r1"

79

    # emerge ">=kde-base/kdebase-3.2.3-r1"

80

81

    # emerge -pv ">=kde-base/kdelibs-3.2.3-r1"

82

    # emerge ">=kde-base/kdelibs-3.2.3-r1"

83

84

References

85

==========

86

87

  [ 1 ] KDE Advisory: Temporary Directory Vulnerability

88

        http://www.kde.org/info/security/advisory-20040811-1.txt

89

  [ 2 ] KDE Advisory: DCOPServer Temporary Filename Vulnerability

90

        http://www.kde.org/info/security/advisory-20040811-2.txt

91

  [ 3 ] KDE Advisory: Konqueror Frame Injection Vulnerability

92

        http://www.kde.org/info/security/advisory-20040811-3.txt

93

94

Availability

95

============

96

97

This GLSA and any updates to it are available for viewing at

98

the Gentoo Security Website:

99

100

    http://security.gentoo.org/glsa/glsa-200408-13.xml

101

102

Concerns?

103

=========

104

105

Security is a primary focus of Gentoo Linux and ensuring the

106

confidentiality and security of our users machines is of utmost

107

importance to us. Any security concerns should be addressed to

108

security@g.o or alternatively, you may file a bug at

109

http://bugs.gentoo.org.

110

111

License

112

=======

113

114

Copyright 2004 Gentoo Foundation, Inc; referenced text

115

belongs to its owner(s).

116

117

The contents of this document are licensed under the

118

Creative Commons - Attribution / Share Alike license.

119

120

http://creativecommons.org/licenses/by-sa/1.0

121

-----BEGIN PGP SIGNATURE-----

122

Version: GnuPG v1.2.4 (GNU/Linux)

123

124

iD8DBQFBG9xAzKC5hMHO6rkRAi1RAJ9H+j296zFbm+HDuas4yFtpT4nx9gCbB4yv

125

9+omEDE6ghXjxkJxLSGFGFM=

126

=bfdr

127

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200408-13
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: Normal
11	Title: kdebase, kdelibs: Multiple security issues
12	Date: August 12, 2004
13	Bugs: #60068
14	ID: 200408-13
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	KDE contains three security issues that can allow an attacker to
22	compromise system accounts, cause a Denial of Service, or spoof
23	websites via frame injection.
24
25	Background
26	==========
27
28	KDE is a powerful Free Software graphical desktop environment for Linux
29	and Unix-like Operating Systems.
30
31	Affected packages
32	=================
33
34	-------------------------------------------------------------------
35	Package / Vulnerable / Unaffected
36	-------------------------------------------------------------------
37	1 kde-base/kdebase < 3.2.3-r1 >= 3.2.3-r1
38	2 kde-base/kdelibs < 3.2.3-r1 >= 3.2.3-r1
39	-------------------------------------------------------------------
40	2 affected packages on all of their supported architectures.
41	-------------------------------------------------------------------
42
43	Description
44	===========
45
46	KDE contains three security issues:
47
48	* Insecure handling of temporary files when running KDE applications
49	outside of the KDE environment
50
51	* DCOPServer creates temporary files in an insecure manner
52
53	* The Konqueror browser allows websites to load webpages into a
54	target frame of any other open frame-based webpage
55
56	Impact
57	======
58
59	An attacker could exploit these vulnerabilities to create or overwrite
60	files with the permissions of another user, compromise the account of
61	users running a KDE application and insert arbitrary frames into an
62	otherwise trusted webpage.
63
64	Workaround
65	==========
66
67	There is no known workaround at this time. All users are encouraged to
68	upgrade to the latest available version of kdebase.
69
70	Resolution
71	==========
72
73	All KDE users should upgrade to the latest versions of kdelibs and
74	kdebase:
75
76	# emerge sync
77
78	# emerge -pv ">=kde-base/kdebase-3.2.3-r1"
79	# emerge ">=kde-base/kdebase-3.2.3-r1"
80
81	# emerge -pv ">=kde-base/kdelibs-3.2.3-r1"
82	# emerge ">=kde-base/kdelibs-3.2.3-r1"
83
84	References
85	==========
86
87	[ 1 ] KDE Advisory: Temporary Directory Vulnerability
88	http://www.kde.org/info/security/advisory-20040811-1.txt
89	[ 2 ] KDE Advisory: DCOPServer Temporary Filename Vulnerability
90	http://www.kde.org/info/security/advisory-20040811-2.txt
91	[ 3 ] KDE Advisory: Konqueror Frame Injection Vulnerability
92	http://www.kde.org/info/security/advisory-20040811-3.txt
93
94	Availability
95	============
96
97	This GLSA and any updates to it are available for viewing at
98	the Gentoo Security Website:
99
100	http://security.gentoo.org/glsa/glsa-200408-13.xml
101
102	Concerns?
103	=========
104
105	Security is a primary focus of Gentoo Linux and ensuring the
106	confidentiality and security of our users machines is of utmost
107	importance to us. Any security concerns should be addressed to
108	security@g.o or alternatively, you may file a bug at
109	http://bugs.gentoo.org.
110
111	License
112	=======
113
114	Copyright 2004 Gentoo Foundation, Inc; referenced text
115	belongs to its owner(s).
116
117	The contents of this document are licensed under the
118	Creative Commons - Attribution / Share Alike license.
119
120	http://creativecommons.org/licenses/by-sa/1.0
121	-----BEGIN PGP SIGNATURE-----
122	Version: GnuPG v1.2.4 (GNU/Linux)
123
124	iD8DBQFBG9xAzKC5hMHO6rkRAi1RAJ9H+j296zFbm+HDuas4yFtpT4nx9gCbB4yv
125	9+omEDE6ghXjxkJxLSGFGFM=
126	=bfdr
127	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce