KDE Security Advisory: URI Handler Vulnerabilities
For the record : KDE.org has published a security bulletin :
http://www.kde.org/info/security/advisory-20040517-1.txt
There are various problems, but this appears to be the worst bit :
The telnet, rlogin, ssh and mailto URI handlers in KDE
do not check for '-' at the beginning of the hostname
passed, which makes it possible to pass an option to
the programs started by the handlers.
Impact:
[...]
A remote attacker could entice a user to open a carefully
crafted mailto URI which may start the KMail program with
its display redirected to a remote machine under control
of the attacker. An attacker can then use this to gain
full access to the victims personal files and account.
[...]
It would appear the right advice is to stop using Konqueror to surf
the web until we have our KDEs fixed.
As a Woody KDE user I'm aware that the usual packager
suspects^H^H^H^H^H^H^H^Hheros are all somewhat preoccupied, so I guess
self-help may be required here - but I've never built a Debian KDE
package, so if somebody could post a pointer to a simple howto on
doing this from a source deb and patches I'd be grateful.
Or does anyone know of a plan by some hero to package up KDE 3.2.2(3
?) for Woody ?
[ This comment :
"The current schedule is that the Debian backports
will be fully public and operational by June 27th,
2004. Thank you for your understanding.
Andreas Mueller, Fri Apr 23 2004"
is still present at
ftp://ftp.plig.org/pub/kde/stable/3.2.2/Debian/README ]
Or I suppose switching to Mozilla for a while may be a sensible option
...
Cheers
Nick Boyce
Bristol, UK
--
'If you don't pray in my school, I won't think in your church'
Reply to: