SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   KDE Vendors:   KDE.org
KDE dcopidlng Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1013525
SecurityTracker URL:  http://securitytracker.com/id/1013525
CVE Reference:   CVE-2005-0365   (Links to External Site)
Date:  Mar 23 2005
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.3.2 and prior versions
Description:   A vulnerability was reported in KDE in the dcopidlng script. A local user may be able to obtain elevated privileges.

The 'dcop/dcopidlng/dcopidlng' script creates temporary files with a predictable filename based on the process ID. A local user can create a symbolic link (symlink) from a critical file on the system to a filename to be used by KDE as a temporary file. Then, when the affected script is run, the symlinked file will be created or overwritten with the privileges of the target user.

This may allow the local user to gain elevated privileges.

Davide Madrisan reported this vulnerability.

Impact:   A local user may be able to cause files to be modified to obtain elevated privileges.
Solution:   The vendor has issued a fixed version (3.4), available at:

http://www.kde.org/download/

Vendor URL:  www.kde.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 23 2005 (Fedora Issues Fix) KDE dcopidlng Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
Fedora has released a fix.



 Source Message Contents

Subject:  insecure temporary file creation in kdelibs 3.3.2


--nextPart2438405.WZZcDvR8QJ
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

The `dcopidlng' script in the KDE library package=20
(kdelibs-3.3.2/dcop/dcopidlng/dcopidlng)
creates temporary files in a unsecure manner.

This bug has been fixed in 32 minutes (!) by Stephan Kulow, the KDE team=20
leader. Here you can found the official patch:
http://bugs.kde.org/show_bug.cgi?id=3D97608

Note: This bug has been find by `autospec', the work-in-progress tool used =
by=20
the QiLinux team to (semi)automatically create specfiles from tarballs and=
=20
update/check rpm packages. It's released under GPL and not QiLinux specific.
The latest release can be found at the URL:
ftp://ftp.qilinux.it/pub/QiLinux/devel/tools/autospec/

#include <best/regards.h>
=2D--
Davide Madrisan
QiLinux Security Team Leader
PGP keyID: 4B72B0B9 fp: 2B79 BFF1 EE33 EE8C 3258 E43C CDA8 EFF3 4B72 B0B9
PGP public key: <http://pgp.mit.edu/>
http://www.qilinux.it

--nextPart2438405.WZZcDvR8QJ
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQBCDGnwzajv80tysLkRAue5AJ9URfELO5YrD4poMJVd2rYF3Y8OFQCfYWgu
Kfp1X4bwxqiEK/hsHfQf//s=
=PARd
-----END PGP SIGNATURE-----

--nextPart2438405.WZZcDvR8QJ--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC