SecurityTracker.com Archives - KDE dcopidlng Unsafe Temporary Files May Let Local Users Gain Elevated Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > KDE

Vendors: KDE.org

KDE dcopidlng Unsafe Temporary Files May Let Local Users Gain Elevated Privileges

SecurityTracker Alert ID: 1013525

SecurityTracker URL: http://securitytracker.com/id?1013525

CVE Reference: CAN-2005-0365 (Links to External Site)

Date: Mar 23 2005

Impact: Modification of system information, Modification of user information, Root access via local system, User access via local system

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 3.3.2 and prior versions

Description: A vulnerability was reported in KDE in the dcopidlng script. A local user may be able to obtain elevated privileges.

The 'dcop/dcopidlng/dcopidlng' script creates temporary files with a predictable filename based on the process ID. A local user can create a symbolic link (symlink) from a critical file on the system to a filename to be used by KDE as a temporary file. Then, when the affected script is run, the symlinked file will be created or overwritten with the privileges of the target user.

This may allow the local user to gain elevated privileges.

Davide Madrisan reported this vulnerability.

Impact: A local user may be able to cause files to be modified to obtain elevated privileges.

Solution: The vendor has issued a fixed version (3.4), available at:

http://www.kde.org/download/

Vendor URL: www.kde.org/ (Links to External Site)

Cause: Access control error, State error

Underlying OS: Linux (Any), UNIX (Any)

Reported By: Davide Madrisan <davide.madrisan@qilinux.it>

Message History: This archive entry has one or more follow-up message(s) listed below.

Mar 23 2005

(Fedora Issues Fix) KDE dcopidlng Unsafe Temporary Files May Let Local Users Gain Elevated Privileges (Than Ngo <than@redhat.com>)
Fedora has released a fix.

Source Message Contents

Date: Fri, 11 Feb 2005 09:16:38 +0100
From: Davide Madrisan <davide.madrisan@qilinux.it>
Subject: insecure temporary file creation in kdelibs 3.3.2

 

--nextPart2438405.WZZcDvR8QJ
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

The `dcopidlng' script in the KDE library package=20
(kdelibs-3.3.2/dcop/dcopidlng/dcopidlng)
creates temporary files in a unsecure manner.

This bug has been fixed in 32 minutes (!) by Stephan Kulow, the KDE team=20
leader. Here you can found the official patch:
http://bugs.kde.org/show_bug.cgi?id=3D97608

Note: This bug has been find by `autospec', the work-in-progress tool used =
by=20
the QiLinux team to (semi)automatically create specfiles from tarballs and=
=20
update/check rpm packages. It's released under GPL and not QiLinux specific.
The latest release can be found at the URL:
ftp://ftp.qilinux.it/pub/QiLinux/devel/tools/autospec/

#include <best/regards.h>
=2D--
Davide Madrisan
QiLinux Security Team Leader
PGP keyID: 4B72B0B9 fp: 2B79 BFF1 EE33 EE8C 3258 E43C CDA8 EFF3 4B72 B0B9
PGP public key: <http://pgp.mit.edu/>
http://www.qilinux.it

--nextPart2438405.WZZcDvR8QJ
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBCDGnwzajv80tysLkRAue5AJ9URfELO5YrD4poMJVd2rYF3Y8OFQCfYWgu
Kfp1X4bwxqiEK/hsHfQf//s=
=PARd
-----END PGP SIGNATURE-----

--nextPart2438405.WZZcDvR8QJ--

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2005, SecurityGlobal.net LLC