KDE Security Advisory - The Debian project was alerted that KDE's DCOPServer creates temporary files in an insecure manner. Since the temporary files are used for authentication related purposes this can potentially allow a local attacker to compromise the account of any user which runs a KDE application. Affected are version KDE 3.2.x up to KDE 3.2.3 inclusive.
650cf7c1856dd61b02738370add6ac1637635e590a07b095095cc7e81d599a31
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
KDE Security Advisory: DCOPServer Temporary Filename Vulnerability
Original Release Date: 2004-08-11
URL: http://www.kde.org/info/security/advisory-20040811-2.txt
0. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261386
1. Systems affected:
KDE 3.2.x up to KDE 3.2.3 inclusive.
2. Overview:
The Debian project was alerted that KDE's DCOPServer creates
temporary files in an insecure manner. Since the temporary
files are used for authentication related purposes this can
potentially allow a local attacker to compromise the account of
any user which runs a KDE application.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0690 to this issue.
3. Impact:
KDE's DCOPServer creates temporary files in an insecure manner.
Since the temporary files are used for authentication related
purposes this can potentially allow a local attacker to compromise
the account of any user which runs a KDE application.
4. Solution:
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
5. Patch:
Patches for KDE 3.2.3 are available from
ftp://ftp.kde.org/pub/kde/security_patches :
0046c691fa833b2ff8d7eac15312a68b post-3.2.3-kdelibs-dcopserver.patch
6. Time line and credits:
25/07/2004 Debian Project alerted by Colin Phipps
26/07/2004 KDE Security team informed by Chris Cheney
26/07/2004 Patch created
27/07/2004 Vendors notified
11/08/2004 Public advisory
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFBGiosN4pvrENfboIRApSoAJ0S7zbgId9etA3EDrOv5dnFpSUU4wCfd2JK
kHcL+tcXbrH971YcuoEleTQ=
=VHci
-----END PGP SIGNATURE-----