[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] ALERT: multiple vulnerabilities in KDE
- To: linux-security
- Subject: [linux-security] ALERT: multiple vulnerabilities in KDE
- From: Martin Siegert <siegert@sfu.ca>
- Date: Thu, 5 Dec 2002 19:42:51 -0800
- User-Agent: Mutt/1.4i
Topic
=====
multiple vulnerabilities in KDE programs and libraries
problems 1 and 2 (below) can lead to REMOTE ROOT EXPLOITS
Problem Description
===================
A number of vulnerabilities have been found in various versions of KDE.
1) A vulnerability in the rlogin KIO subsystem (rlogin.protocol) of
KDE 2.x 2.1 and later, and KDE 3.x 3.0.4 and earlier, allows local and
remote attackers to execute arbitrary code via a carefully crafted URL.
A similar vulnerability affects KDE version 2.x through the telnet KIO
subsystem (telnet.protocol).
2) Multiple buffer overflows exist in the KDE LAN browsing implementation; the
resLISa daemon contains a buffer overflow vulnerability which could be
exploited if the reslisa binary is SUID root. Additionally, the lisa
daemon contains a vulnerability which potentially enables any local user,
as well any any remote attacker on the LAN who is able to gain control of
the LISa port (7741 by default), to obtain root privileges.
3) The SSL capability for Konqueror in KDE 3.0.2 and earlier does not verify
the Basic Constraints for an intermediate CA-signed certificate. This
allows remote attackers to spoof the certificates of trusted sites via a
man-in-the-middle attack.
4) Konqueror in KDE 3.0 through 3.0.2 does not properly detect the "secure"
flag in an HTTP cookie, which could cause Konqueror to send the cookie
across an unencrypted channel, potentially allowing remote attackers to
steal the cookie via sniffing.
5) The cross-site scripting protection for Konqueror in KDE 2.2.2 and 3.0
through 3.0.3 does not properly initialize the domains on sub-frames and
sub-iframes, which can allow remote attackers to execute scripts and steal
cookies from subframes that are in other domains.
6) kpf is a file sharing utility that can be docked into the KDE kicker bar.
It uses a subset of the HTTP protocol internally and acts in a manner very
similar to a Web server. A feature added in KDE 3.0.1 accidentally allowed
retrieving any file, not limited to the configured shared directory, if it
is readable by the user under which kpf runs.
7) KGhostview includes a parser from GSview, which is vulnerable to a buffer
overflow while parsing a specially crafted .ps input file.
It also contains code from gv 3.5.x which is vulnerable to another buffer
overflow triggered by malformed postscript or Adobe PDF files.
Affected Versions
=================
Depends on the bug.
The most serious bugs 1) and 2) affect all KDE 2 releases from KDE 2.1 and
all KDE 3 releases (up to 3.0.4 and 3.1rc3).
Not Affected
============
RedHat 6.x, 7.0
Debian 2.2
Workaround (for problem 1)
==========================
the fix for problem 1 is to disable rlogin and telnet within KDE.
As far as I can tell all distributions have adopted that approach.
Solution
========
Not all problems mentioned above are fixed in all distributions (yet).
I list for each distribution which problems are fixed below.
(for distributions other than RedHat I do not know whether all the
packages mentioned above are part of the distribution, i.e., even
if a certain problem is not listed as fixed, a particular distribution
may nevertheless be not vulnerable, if it does not ship the package
in the first place. Please check for yourself - a package that is not
installed cannot cause a problem!)
RedHat 7.1
----------
The RedHat advisory does not mention 7.1. However, RH 7.1 is using
kde-2.1.1 and therefore is vulnerable to problem 1, but not to the
other problems. It is recommended to use the workaround (see RH 7.2)
for 7.1 as well:
rm /usr/share/services/rlogin.protocol
rm /usr/share/services/telnet.protocol
RedHat 7.2
----------
No vulnerable to 4 and 6.
To fix problem 1 do:
rm /usr/share/services/rlogin.protocol
rm /usr/share/services/telnet.protocol
to fix problems 2, 3, 5, 7:
rpm -Fvh kdelibs-2.2.2-3.i386.rpm \
kdelibs-devel-2.2.2-3.i386.rpm \
kdelibs-sound-2.2.2-3.i386.rpm \
kdelibs-sound-devel-2.2.2-3.i386.rpm \
kdegraphics-2.2.2-2.1.i386.rpm \
kdegraphics-devel-2.2.2-2.1.i386.rpm \
kdenetwork-2.2.2-2.i386.rpm \
kdenetwork-ppp-2.2.2-2.i386.rpm \
arts-2.2.2-3.i386.rpm
RedHat 7.3
----------
not vulnerable to 6.
to fix 1-5, 7:
rpm -Fvh kdelibs-3.0.3-0.7.2.i386.rpm
kdelibs-devel-3.0.3-0.7.2.i386.rpm
kdebase-3.0.3-0.7.2.i386.rpm
kdebase-devel-3.0.3-0.7.2.i386.rpm
kdeaddons-kate-3.0.3-0.7.i386.rpm
kdeaddons-kicker-3.0.3-0.7.i386.rpm
kdeaddons-knewsticker-3.0.3-0.7.i386.rpm
kdeaddons-konqueror-3.0.3-0.7.i386.rpm
kdeaddons-noatun-3.0.3-0.7.i386.rpm
kdeaddons-noatun-3.0.3-0.7.i386.rpm
kdeadmin-3.0.3-0.7.i386.rpm
kdeartwork-3.0.3-0.7.1.i386.rpm
kdeartwork-kworldclock-3.0.3-0.7.1.i386.rpm
kdeartwork-locolor-3.0.3-0.7.1.i386.rpm
kdeartwork-screensavers-3.0.3-0.7.1.i386.rpm
kdebindings-3.0.3-0.7.1.i386.rpm
kdebindings-devel-3.0.3-0.7.1.i386.rpm
kdebindings-kmozilla-3.0.3-0.7.1.i386.rpm
keduca-3.0.3-0.7.i386.rpm
kgeo-3.0.3-0.7.i386.rpm
klettres-3.0.3-0.7.i386.rpm
kmessedwords-3.0.3-0.7.i386.rpm
kstars-3.0.3-0.7.i386.rpm
ktouch-3.0.3-0.7.i386.rpm
kvoctrain-3.0.3-0.7.i386.rpm
kdegames-3.0.3-0.7.i386.rpm
kdegames-devel-3.0.3-0.7.i386.rpm
kamera-3.0.3-0.7.2.i386.rpm
kcoloredit-3.0.3-0.7.2.i386.rpm
kdvi-3.0.3-0.7.2.i386.rpm
kfax-3.0.3-0.7.2.i386.rpm
kfile-pdf-3.0.3-0.7.2.i386.rpm
kfile-png-3.0.3-0.7.2.i386.rpm
kfract-3.0.3-0.7.2.i386.rpm
kghostview-3.0.3-0.7.2.i386.rpm
kiconedit-3.0.3-0.7.2.i386.rpm
kooka-3.0.3-0.7.2.i386.rpm
kpaint-3.0.3-0.7.2.i386.rpm
kruler-3.0.3-0.7.2.i386.rpm
ksnapshot-3.0.3-0.7.2.i386.rpm
kuickshow-3.0.3-0.7.2.i386.rpm
kview-3.0.3-0.7.2.i386.rpm
kviewshell-3.0.3-0.7.2.i386.rpm
kviewshell-devel-3.0.3-0.7.2.i386.rpm
libkscan-3.0.3-0.7.2.i386.rpm
libkscan-devel-3.0.3-0.7.2.i386.rpm
kdenetwork-devel-3.0.3-0.7.2.i386.rpm
kdenetwork-libs-3.0.3-0.7.2.i386.rpm
kdict-3.0.3-0.7.2.i386.rpm
kit-3.0.3-0.7.2.i386.rpm
kmail-3.0.3-0.7.2.i386.rpm
knewsticker-3.0.3-0.7.2.i386.rpm
knode-3.0.3-0.7.2.i386.rpm
korn-3.0.3-0.7.2.i386.rpm
kpf-3.0.3-0.7.2.i386.rpm
kppp-3.0.3-0.7.2.i386.rpm
ksirc-3.0.3-0.7.2.i386.rpm
ktalkd-3.0.3-0.7.2.i386.rpm
kxmlrpcd-3.0.3-0.7.2.i386.rpm
lisa-3.0.3-0.7.2.i386.rpm
karm-3.0.3-0.7.i386.rpm
kdepim-3.0.3-0.7.i386.rpm
kdepim-cellphone-3.0.3-0.7.i386.rpm
kdepim-devel-3.0.3-0.7.i386.rpm
kdepim-pilot-3.0.3-0.7.i386.rpm
knotes-3.0.3-0.7.i386.rpm
cervisia-3.0.3-0.7.i386.rpm
kdesdk-gimp-3.0.3-0.7.i386.rpm
kdesdk-kapptemplate-3.0.3-0.7.i386.rpm
kdesdk-kbabel-3.0.3-0.7.i386.rpm
kdesdk-kbugbuster-3.0.3-0.7.i386.rpm
kdesdk-kmtrace-3.0.3-0.7.i386.rpm
kdesdk-kompare-3.0.3-0.7.i386.rpm
kdesdk-kspy-3.0.3-0.7.i386.rpm
kdetoys-3.0.3-0.7.i386.rpm
ark-3.0.3-0.7.i386.rpm
kcalc-3.0.3-0.7.i386.rpm
kcharselect-3.0.3-0.7.i386.rpm
kdepasswd-3.0.3-0.7.i386.rpm
kdessh-3.0.3-0.7.i386.rpm
kdeutils-laptop-3.0.3-0.7.i386.rpm
kdf-3.0.3-0.7.i386.rpm
kedit-3.0.3-0.7.i386.rpm
kfloppy-3.0.3-0.7.i386.rpm
khexedit-3.0.3-0.7.i386.rpm
kjots-3.0.3-0.7.i386.rpm
kljettool-3.0.3-0.7.i386.rpm
klpq-3.0.3-0.7.i386.rpm
klprfax-3.0.3-0.7.i386.rpm
kregexpeditor-3.0.3-0.7.i386.rpm
kregexpeditor-devel-3.0.3-0.7.i386.rpm
ktimer-3.0.3-0.7.i386.rpm
kdevelop-2.1.3-0.7.1.i386.rpm
kaboodle-3.0.3-0.7.1.i386.rpm
kdemultimedia-arts-3.0.3-0.7.1.i386.rpm
kdemultimedia-devel-3.0.3-0.7.1.i386.rpm
kdemultimedia-kfile-3.0.3-0.7.1.i386.rpm
kdemultimedia-libs-3.0.3-0.7.1.i386.rpm
kmid-3.0.3-0.7.1.i386.rpm
kmidi-3.0.3-0.7.1.i386.rpm
kmix-3.0.3-0.7.1.i386.rpm
koncd-3.0.3-0.7.1.i386.rpm
kscd-3.0.3-0.7.1.i386.rpm
arts-1.0.3-0.7.1.i386.rpm
arts-devel-1.0.3-0.7.1.i386.rpm
qt-3.0.5-7.14.i386.rpm
qt-designer-3.0.5-7.14.i386.rpm
qt-devel-3.0.5-7.14.i386.rpm
qt-MySQL-3.0.5-7.14.i386.rpm
qt-ODBC-3.0.5-7.14.i386.rpm
qt-PostgreSQL-3.0.5-7.14.i386.rpm
qt-static-3.0.5-7.14.i386.rpm
qt-Xt-3.0.5-7.14.i386.rpm
noatun-3.0.3-0.7.1.i386.rpm
RedHat 8.0
----------
not vulnerable to 3, 4.
to fix 1, 2, 5-7:
rpm -Fvh kdelibs-3.0.3-8.3.i386.rpm
kdelibs-devel-3.0.3-8.3.i386.rpm
kdebase-3.0.3-14.i386.rpm
kdebase-devel-3.0.3-14.i386.rpm
kdenetwork-devel-3.0.3-3.2.i386.rpm
korn-3.0.3-3.2.i386.rpm
kdenetwork-libs-3.0.3-3.2.i386.rpm
kpf-3.0.3-3.2.i386.rpm
kdict-3.0.3-3.2.i386.rpm
kppp-3.0.3-3.2.i386.rpm
kit-3.0.3-3.2.i386.rpm
ksirc-3.0.3-3.2.i386.rpm
kmail-3.0.3-3.2.i386.rpm
ktalkd-3.0.3-3.2.i386.rpm
knewsticker-3.0.3-3.2.i386.rpm
kxmlrpcd-3.0.3-3.2.i386.rpm
knode-3.0.3-3.2.i386.rpm
lisa-3.0.3-3.2.i386.rpm
kamera-3.0.3-5.i386.rpm
kfile-png-3.0.3-5.i386.rpm
kpaint-3.0.3-5.i386.rpm
kviewshell-3.0.3-5.i386.rpm
kcoloredit-3.0.3-5.i386.rpm
kfract-3.0.3-5.i386.rpm
kruler-3.0.3-5.i386.rpm
kviewshell-devel-3.0.3-5.i386.rpm
kdvi-3.0.3-5.i386.rpm
kghostview-3.0.3-5.i386.rpm
ksnapshot-3.0.3-5.i386.rpm
libkscan-3.0.3-5.i386.rpm
kfax-3.0.3-5.i386.rpm
kiconedit-3.0.3-5.i386.rpm
kuickshow-3.0.3-5.i386.rpm
libkscan-devel-3.0.3-5.i386.rpm
kfile-pdf-3.0.3-5.i386.rpm
kooka-3.0.3-5.i386.rpm
kview-3.0.3-5.i386.rpm
Debian 3.0
----------
not vulnerable to 3, 6
to fix 1, 2, 4, 5, 7:
upgrade to kdelibs3_2.2.2-13.woody.5_i386.deb,
kdelibs-dev_2.2.2-13.woody.5_i386.deb,
kdelibs3-bin_2.2.2-13.woody.5_i386.deb,
kdelibs3-cups_2.2.2-13.woody.5_i386.deb,
libarts_2.2.2-13.woody.5_i386.deb,
libarts-alsa_2.2.2-13.woody.5_i386.deb,
libarts-dev_2.2.2-13.woody.5_i386.deb,
libkmid_2.2.2-13.woody.5_i386.deb,
libkmid-alsa_2.2.2-13.woody.5_i386.deb,
libkmid-dev_2.2.2-13.woody.5_i386.deb,
kdict_2.2.2-14.2_i386.deb,
kit_2.2.2-14.2_i386.deb,
klisa_2.2.2-14.2_i386.deb,
kmail_2.2.2-14.2_i386.deb,
knewsticker_2.2.2-14.2_i386.deb,
knode_2.2.2-14.2_i386.deb,
korn_2.2.2-14.2_i386.deb,
kppp_2.2.2-14.2_i386.deb,
ksirc_2.2.2-14.2_i386.deb,
ktalkd_2.2.2-14.2_i386.deb,
libkdenetwork1_2.2.2-14.2_i386.deb,
libmimelib-dev_2.2.2-14.2_i386.deb,
libmimelib1_2.2.2-14.2_i386.deb,
kamera_2.2.2-6.8_i386.deb,
kcoloredit_2.2.2-6.8_i386.deb,
kfract_2.2.2-6.8_i386.deb,
kghostview_2.2.2-6.8_i386.deb,
kiconedit_2.2.2-6.8_i386.deb,
kooka_2.2.2-6.8_i386.deb,
kpaint_2.2.2-6.8_i386.deb,
kruler_2.2.2-6.8_i386.deb,
ksnapshot_2.2.2-6.8_i386.deb,
kview_2.2.2-6.8_i386.deb,
libkscan-dev_2.2.2-6.8_i386.deb,
libkscan1_2.2.2-6.8_i386.deb
SuSE 7.2
--------
to fix 2
rpm -Fvh kdenetwork-2.1.1-154.i386.rpm
SuSE 7.3
--------
to fix 2
rpm -Fvh kdenetwork-2.2.1-101.i386.rpm
Mandrake 8.1
------------
not vulnerable to 2.
to fix 1 do:
rm /usr/share/services/telnet.protocol
rm /usr/share/services/rlogin.protocol
also rmove the same files in each user's ~/.kde/share/services directory
to fix 3-5, 7
rpm -Fvh kdelibs-2.2.1-6.1mdk.i586.rpm \
kdelibs-devel-2.2.1-6.1mdk.i586.rpm \
kdelibs-sound-2.2.1-6.1mdk.i586.rpm \
kdelibs-static-devel-2.2.1-6.1mdk.i586.rpm \
libarts2-2.2.1-6.1mdk.i586.rpm \
libarts2-devel-2.2.1-6.1mdk.i586.rpm \
arts-2.2.1-6.1mdk.i586.rpm \
kdegraphics-2.2.1-2.1mdk.i586.rpm \
kdegraphics-static-devel-2.2.1-2.1mdk.i586.rpm
Mandrake 8.2
------------
not vulnerable to 2.
to fix 1 do:
rm /usr/share/services/telnet.protocol
rm /usr/share/services/rlogin.protocol
also rmove the same files in each user's ~/.kde/share/services directory
to fix 3-5, 7
rpm -Fvh kdelibs-2.2.2-49.1mdk.i586.rpm \
kdelibs-devel-2.2.2-49.1mdk.i586.rpm \
kdelibs-sound-2.2.2-49.1mdk.i586.rpm \
libarts2-2.2.2-49.1mdk.i586.rpm \
libarts2-devel-2.2.2-49.1mdk.i586.rpm \
arts-2.2.2-49.1mdk.i586.rpm \
kdegraphics-2.2.2-15.1mdk.i586.rpm \
kdegraphics-devel-2.2.2-15.1mdk.i586.rpm
Mandrake 9.0
------------
to fix 1, 2, 7
rpm -Fvh kdelibs-3.0.3-30.1mdk.i586.rpm \
kdelibs-devel-3.0.3-30.1mdk.i586.rpm \
kdegraphics-3.0.3-11.1mdk.i586.rpm \
kdegraphics-devel-3.0.3-11.1mdk.i586.rpm \
kdenetwork-3.0.3-15.1mdk.i586.rpm \
kdenetwork-devel-3.0.3-15.1mdk.i586.rpm \
lisa-3.0.3-15.1mdk.i586.rpm