Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Update: [CSSA-2003-012.0] Linux: KDE rlogin.protocol and telnet.protocol url kio Vulnerability

From: security () sco com
Date: Fri, 14 Mar 2003 15:30:38 -0800
To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com

______________________________________________________________________________

                        SCO Security Advisory

Subject:                Linux: KDE rlogin.protocol and telnet.protocol url kio Vulnerability
Advisory number:        CSSA-2003-012.0
Issue date:             2003 March 14
Cross reference:
______________________________________________________________________________


1. Problem Description

        From the KDE.org 20021111-1 advisory: The implementation of
        the rlogin protocol in all of the affected systems, and the
        implementation of the telnet protocol in affected KDE 2 systems,
        allows a carefully crafted url in an html page, html email or
        other kio-enabled application to execute arbitrary commands on
        the system using the victim's account on the vulnerable machine.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to kdelibs2-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-doc-2.2.1-6.3.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to kdelibs2-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-doc-2.2.1-6.3.i386.rpm

        OpenLinux 3.1 Server            prior to kdelibs2-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-doc-2.2.1-6.3.i386.rpm

        OpenLinux 3.1 Workstation       prior to kdelibs2-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
                                        prior to kdelibs2-doc-2.2.1-6.3.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-012.0/RPMS

        4.2 Packages

        8129d823e229783c726199a844318eee        kdelibs2-2.2.1-6.3.i386.rpm
        e631a15683fe15eb297a06e51287bfdd        kdelibs2-devel-2.2.1-6.3.i386.rpm
        76c004779dde39b01b8576ff96c6b137        kdelibs2-devel-static-2.2.1-6.3.i386.rpm
        18e3123ff2f9123c7617ade65748f57f        kdelibs2-doc-2.2.1-6.3.i386.rpm

        4.3 Installation

        rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-012.0/SRPMS

        4.5 Source Packages

        9b04bfe2743d6a4ccf5a8ca50f719189        kdelibs2-2.2.1-6.3.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-012.0/RPMS

        5.2 Packages

        26afc4798aca1790d98e81535a883d0d        kdelibs2-2.2.1-6.3.i386.rpm
        a96af03f963bfd9a7611746054eeb5a4        kdelibs2-devel-2.2.1-6.3.i386.rpm
        8b10782ead46deae8dc51e34851f2118        kdelibs2-devel-static-2.2.1-6.3.i386.rpm
        61818a0d965eaa44142f9461bb0a580f        kdelibs2-doc-2.2.1-6.3.i386.rpm

        5.3 Installation

        rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-012.0/SRPMS

        5.5 Source Packages

        e8a17de26c5fcfd5b44c2aab0e7e1e42        kdelibs2-2.2.1-6.3.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-012.0/RPMS

        6.2 Packages

        c2bf490ca7443c62c45a0dce907f9943        kdelibs2-2.2.1-6.3.i386.rpm
        0e43fb5811697dbd3d25084b31481b00        kdelibs2-devel-2.2.1-6.3.i386.rpm
        dd14c0db0ec3b7125bafe4e530e90a4a        kdelibs2-devel-static-2.2.1-6.3.i386.rpm
        60b6d0eccef454ecdc238a31a6688a1a        kdelibs2-doc-2.2.1-6.3.i386.rpm

        6.3 Installation

        rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-012.0/SRPMS

        6.5 Source Packages

        43823df287464c1c186607df1cb603db        kdelibs2-2.2.1-6.3.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-012.0/RPMS

        7.2 Packages

        b5e6c49e354b1bf4483fd29f0ecf7a9e        kdelibs2-2.2.1-6.3.i386.rpm
        9c9a8af55257d002e0edbaab4f3ebf67        kdelibs2-devel-2.2.1-6.3.i386.rpm
        be537a8de06e5754e56e1e27ea73ff8f        kdelibs2-devel-static-2.2.1-6.3.i386.rpm
        8b4ff42cd09a6278c8275628e68b31b9        kdelibs2-doc-2.2.1-6.3.i386.rpm

        7.3 Installation

        rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
        rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-012.0/SRPMS

        7.5 Source Packages

        928a9ef51baae6b352b343df75e86cb9        kdelibs2-2.2.1-6.3.src.rpm


8. References

        Specific references for this advisory:

                http://www.kde.org/info/security/advisory-20021111-1.txt
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1281
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1282

        SCO security resources:

                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr872190, fz526739,
        erg712167.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


10. Acknowledgements

        KDE.org discovered and researched this vulnerability.

______________________________________________________________________________

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: