[ilugd] (fwd) [SECURITY] [KDE Security Advisory]: Kommander untrusted code execution

Fri, 22 Apr 2005 20:02:15 -0700 

[Please upgrade KDE on all platforms -- Raju]

This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------

Content-Type: text/plain;
  charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Message-Id: <[EMAIL PROTECTED]>
From: Dirk Mueller <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Cc: bugtraq@securityfocus.com
Subject: [KDE Security Advisory]: Kommander untrusted code execution
Date: Fri, 22 Apr 2005 02:03:21 +0200

KDE Security Advisory: Kommander untrusted code execution
Original Release Date: 2005-04-20
URL: http://www.kde.org/info/security/advisory-20050420-1.txt

0. References

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0754

1. Systems affected:

        Quanta 3.1.x, KDE 3.2 and new up to including KDE 3.4.0.


2. Overview:

        Kommander is a visual editor and interpreter to edit and
        interpret visual dialogs and execute scripts attached to
        dialog actions. 

        Kommander executes without user confirmation data files
        from possibly untrusted locations. As they contain 
        scripts, the user might accidentally run arbitrary code.


3. Impact:

        Remotly supplied kommander files from untrusted sources
        are executed without confirmation. 


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        A patch for KDE 3.4.0 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        c388b21d91c8326fc9757cd8786713db  post-3.4.0-kdewebdev-kommander.diff

        A patch for KDE 3.3.2 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        d210c07121c1ba3a97660a6e166738e6  post-3.3.2-kdewebdev-kommander.diff


6. Time line and credits:

        13/03/2005 Notification of KDE security by Eckhart Wörner
        20/04/2005 Public Disclosure



------------------------------

End of this Digest
******************

-- 
Raj Mathur                [EMAIL PROTECTED]      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves

_______________________________________________
ilugd mailinglist -- ilugd@lists.linux-delhi.org
http://frodo.hserus.net/mailman/listinfo/ilugd
Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi 
http://www.mail-archive.com/ilugd@lists.linux-delhi.org/

Reply via email to