Re: [debian-knoppix] KDE 3.1.1a WAS: OpenSSL 0.9.7b

To: debian-knoppix@linuxtag.org
Subject: Re: [debian-knoppix] KDE 3.1.1a WAS: OpenSSL 0.9.7b
From: Gilles Pelletier <gilpel@altern.org>
Date: Sat, 19 Apr 2003 16:29:10 -0400
Message-id: <[🔎] 200304191629.11106.gilpel@altern.org>
In-reply-to: <[🔎] 20030418142335.GB20978@eiv.com>
References: <[🔎] 200304151350.46157.gipe@videotron.ca> <[🔎] 200304172149.57116.gilpel@altern.org> <[🔎] 20030418142335.GB20978@eiv.com>

On April 18, 2003 10:23 am, Shawn McMahon wrote:

> On Thu, Apr 17, 2003 at 09:49:57PM -0400, Gilles Pelletier said:
> > And what's a bug fix supposed to mean when OpenSSL workings are
> > hidden from the user: either it works or it doesn't. If it
> > doesn't it's a security hole.
>
> It is entirely possible (and, unfortunately, even likely) that
> everything appears to work from the user's standpoint, but that
> there are in fact holes in the security. 

That's why I'm wondering if OpenSSL is really honest when they talk 
about bug fixes instead of SECURITY fixes.

> It's also unlikely that all the
> problems in OpenSSL have been discovered by the white hats yet.

And not only in OpenSSL, of course. Here's the latest about KDE:

1. Systems affected:

	All KDE 2 and KDE 3 versions up to and including KDE 3.1.1.

2. Overview:

	KDE uses Ghostscript software for processing of PostScript (PS) 
	and PDF files in a way that allows for the execution of arbitrary 
	commands that can be contained in such files.

	An attacker can prepare a malicious PostScript or PDF file which will 
	provide the attacker with access to the victim's account and 
privileges 
	when the victim opens this malicious file for viewing or when the 
	victim browses a directory containing such malicious file and has
	file previews enabled.

	An attacker can provide malicious files remotely to a victim in an 
	e-mail, as part of a webpage, via an ftp server and possible other 
	means.

3. Impact:

	The vulnerabilities potentially enable local or remote attackers
	to compromise the privacy of a vicitim's data and to execute 
arbitrary
	shell commands with the victim's privileges, such as erasing files or 
	accessing or modifying data. 

http://www.kde.org/info/security/advisory-20030409-1.txt

-------------

So it seems like a serious threat. Still, while this new release came 
out on April 9th, the first advisory from a distro seems to be by 
Slackware on the 18th. 

http://linuxtoday.com/security/2003041801626SCKESL

Packages for Debian are available at:

ftp://download.uk.kde.org/pub/kde/stable/3.1.1a/Debian/dists/

but are only available for stable and... woody, which is six or a 
half-dozen, I believe. 

Knoppix was upgraded yesterday and apparently still uses KDE 3.1.1 . 
As a relative newbie, I've got a hard time understanding what's going 
on. What good is it to use unstable if it's only to get the patches 
weeks after stable?

GP
-- 
La Masse critique
http://pages.infinit.net/mcrit
_______________________________________________
debian-knoppix mailing list
debian-knoppix@linuxtag.org
http://mailman.linuxtag.org/mailman/listinfo/debian-knoppix

Reply to:

Follow-Ups:
- Re: [debian-knoppix] KDE 3.1.1a WAS: OpenSSL 0.9.7b
  - From: Shawn McMahon <smcmahon@eiv.com>

References:
- [debian-knoppix] OpenSSL 0.9.7b
  - From: Gilles Pelletier <gilpel@altern.org>
- [debian-knoppix] I'll walk to the bank! WAS: OpenSSL 0.9.7b
  - From: Gilles Pelletier <gilpel@altern.org>
- Re: [debian-knoppix] I'll walk to the bank! WAS: OpenSSL 0.9.7b
  - From: Shawn McMahon <smcmahon@eiv.com>

Prev by Date: [debian-knoppix] Kppp Problems
Next by Date: Re: [debian-knoppix] remote x display
Previous by thread: Re: [debian-knoppix] I'll walk to the bank! WAS: OpenSSL 0.9.7b
Next by thread: Re: [debian-knoppix] KDE 3.1.1a WAS: OpenSSL 0.9.7b
Index(es):
- Date
- Thread