KDE dcopidlng Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1013525|
SecurityTracker URL: http://securitytracker.com/id/1013525
(Links to External Site)
Date: Mar 23 2005
Modification of system information, Modification of user information, Root access via local system, User access via local system|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 3.3.2 and prior versions|
A vulnerability was reported in KDE in the dcopidlng script. A local user may be able to obtain elevated privileges.|
The 'dcop/dcopidlng/dcopidlng' script creates temporary files with a predictable filename based on the process ID. A local user can create a symbolic link (symlink) from a critical file on the system to a filename to be used by KDE as a temporary file. Then, when the affected script is run, the symlinked file will be created or overwritten with the privileges of the target user.
This may allow the local user to gain elevated privileges.
Davide Madrisan reported this vulnerability.
A local user may be able to cause files to be modified to obtain elevated privileges.|
The vendor has issued a fixed version (3.4), available at:|
Vendor URL: www.kde.org/ (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: insecure temporary file creation in kdelibs 3.3.2|
The `dcopidlng' script in the KDE library package=20
creates temporary files in a unsecure manner.
This bug has been fixed in 32 minutes (!) by Stephan Kulow, the KDE team=20
leader. Here you can found the official patch:
Note: This bug has been find by `autospec', the work-in-progress tool used =
the QiLinux team to (semi)automatically create specfiles from tarballs and=
update/check rpm packages. It's released under GPL and not QiLinux specific.
The latest release can be found at the URL:
QiLinux Security Team Leader
PGP keyID: 4B72B0B9 fp: 2B79 BFF1 EE33 EE8C 3258 E43C CDA8 EFF3 4B72 B0B9
PGP public key: <http://pgp.mit.edu/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
-----END PGP SIGNATURE-----