Package: kdelibs
Severity: important
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kdelibs.
CVE-2008-1671[0]:
| 1. Systems affected:
|
| start_kdeinit of KDE 3.x as of KDE 3.5.5 or newer. KDE 4.0
| and newer is not affected. Only Linux platform is affected.
|
|
| 2. Overview:
|
| start_kdeinit is a wrapper to launch kdeinit with a lower OOM
| score on Linux. This helper is used to ensure that a
| single KDE application triggering the Linux kernel OOM killer
| does not kill the whole KDE session. By default,
| start_kdeinit is installed as setuid root. The start_kdeinit
| processing of user-influenceable input is faulty.
|
| 3. Impact:
|
| If start_kdeinit is installed as setuid root, a local user
| might be able to send unix signals to other processes, cause
| a denial of service or even possibly execute arbitrary code.
Note, the mitre site did not yet put this on their website, this is
from the upstream advisory:
http://www.kde.org/info/security/advisory-20080426-2.txt
Patch:
ftp://ftp.kde.org/pub/kde/security_patches/post-kde-3.5.5-kinit.diff
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1671
http://security-tracker.debian.net/tracker/CVE-2008-1671
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpdBDTsFhBfX.pgp
Description: PGP signature