===================================================================== CERT-Renater Note d'Information No. 2010/VULN168 _____________________________________________________________________ DATE : 18/05/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running KDE SC versions 2.2.0 up to including 4.4.3. ====================================================================== http://kde.org/info/security/advisory-20100513-1.txt http://kde.org/info/security/advisory-20100413-1.txt ______________________________________________________________________ KDE Security Advisory: KGet Directory Traversal and Insecure File Operation Vulnerabilities Original Release Date: 2010-05-13 URL: http://www.kde.org/info/security/advisory-20100513-1.txt 0. References: CVE-2010-1000 CVE-2010-1511 SA39528 1. Systems affected: KGet as shipped with KDE SC 4.0.0 up to including KDE SC 4.4.3. Earlier versions of KDE SC may also be affected. 2. Overview: 1) The "name" attribute of the "file" element of metalink files is not properly sanitized before being used to download files. If a user is tricked into downloading from a specially-crafted metalink file, this can be exploited to download files to directories outside of the intended download directory via directory traversal attacks. (CVE-2010-1000) 2) In some versions of KGet (2.4.2) a dialog box is displayed allowing the user to choose the file to download out of the options offered by the metalink file. However, KGet will simply go ahead and start the download after some time - even without prior acknowledgment of the user, and overwriting already-existing files of the same name. (CVE-2010-1511) The vulnerabilities were reported by and the above text provided by Stefan Cornelius of Secunia Research. 3. Impact: 1) Files may be created or overwritten in directories outside of a user's intended download directory. 2) Files may be created or overwritten in a user's intended download directory without acknowledgement of the user. 4. Solution: Source code patches have been made available which fix these vulnerabilities. At the time of this writing most OS vendor / binary package providers should have updated binary packages. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patches have been committed to the KDE Subversion repository in the following revision numbers: 4.3 branch: r1126227 4.4 branch: r1124974 Trunk: r1124976 Patches for KDE SC 4.3 and KDE SC 4.4 may be obtained directory from the Subversion repository (no checkout needed) with the following command and reference SHA1 sums: 4.3 branch: dc1b2af664fb4c74c018e9c6b02859b5c42ecd65 svn diff -r 1126226:1126227 \ svn://anonsvn.kde.org/home/kde/branches/KDE/4.3/kdenetwork 4.4 branch: 3ed1b2333ba324e1fc6c1994cef1715eb0b6f457 svn diff -r 1124973:1124974 \ svn://anonsvn.kde.org/home/kde/branches/KDE/4.4/kdenetwork ________________________________________________________________________ KDE Security Advisory: KDM Local Privilege Escalation Vulnerability Original Release Date: 2010-04-13 URL: http://www.kde.org/info/security/advisory-20100413-1.txt 0. References CVE-2010-0436 1. Systems affected: KDM as shipped with KDE SC 2.2.0 up to including KDE SC 4.4.2 2. Overview: KDM contains a race condition that allows local attackers to make arbitrary files on the system world-writeable. This can happen while KDM tries to create its control socket during user login. This vulnerability has been discovered by Sebastian Krahmer from the SUSE Security Team. 3. Impact: A local attacker with a valid local account can under certain circumstances make use of this vulnerability to execute arbitrary code as root. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: A patch for KDE 4.3.x-4.4.x is available from ftp://ftp.kde.org/pub/kde/security_patches : 68c1dfe76e80812e5e049bb599b3374e kdebase-workspace-4.3.5-CVE-2010-0436.diff ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================