[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

KDE Security Advisory: URI Handler Vulnerabilities

For the record : KDE.org has published a security bulletin :

There are various problems, but this appears to be the worst bit :

  The telnet, rlogin, ssh and mailto URI handlers in KDE 
  do not check for '-' at the beginning of the hostname 
  passed, which makes it possible to pass an option to 
  the programs started by the handlers.

  A remote attacker could entice a user to open a carefully 
  crafted mailto URI which may start the KMail program with 
  its display redirected to a remote machine under control 
  of the attacker.  An attacker can then use this to gain 
  full access to the victims personal files and account.

It would appear the right advice is to stop using Konqueror to surf
the web until we have our KDEs fixed.

As a Woody KDE user I'm aware that the usual packager
suspects^H^H^H^H^H^H^H^Hheros are all somewhat preoccupied, so I guess
self-help may be required here - but I've never built a Debian KDE
package, so if somebody could post a pointer to a simple howto on
doing this from a source deb and patches I'd be grateful.

Or does anyone know of a plan by some hero to package up KDE 3.2.2(3
?) for Woody ?

[ This comment :
    "The current schedule is that the Debian backports 
     will be fully public and operational by June 27th, 
     2004. Thank you for your understanding. 
     Andreas Mueller, Fri Apr 23 2004"
  is still present at 
  ftp://ftp.plig.org/pub/kde/stable/3.2.2/Debian/README ]

Or I suppose switching to Mozilla for a while may be a sensible option


Nick Boyce
Bristol, UK
'If you don't pray in my school, I won't think in your church'

Reply to: