Bugtraq mailing list archives
Re: KDE Security Advisory: Multiple vulnerabilities in KDE
From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Mon, 23 Dec 2002 19:40:37 +0100
fozzy () dmpfrance com writes:
A bit like most MS Internet Explorer bugs BTW... ;-)
It's exactly the same. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-015.asp
After I found out some of these problems, the KDE Security Team has done a good job in finding and fixing all the potentially vulnerable instances of code. This is a major fix, so consider upgrading soon !
However, another set of problems related to the command line processing remains: At laest in kdelibs/kdeprint/management/smbview.cpp, a user-supplied password is passed on the command line to a subprocess. The command line is a resource readable by all local users, and so is the environment (which the KDE developers used after they were told about the problem). Of course, this problem isn't relevant in most situations (it's only a problem in rough multi-user environments). The other command line processing bugs are much more severe. -- Florian Weimer Weimer () CERT Uni-Stuttgart DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
Current thread:
- KDE Security Advisory: Multiple vulnerabilities in KDE Dirk Mueller (Dec 21)
- Re: KDE Security Advisory: Multiple vulnerabilities in KDE fozzy (Dec 23)
- Re: KDE Security Advisory: Multiple vulnerabilities in KDE Florian Weimer (Dec 23)
- Re: KDE Security Advisory: Multiple vulnerabilities in KDE fozzy (Dec 23)