Package: kdelibs Severity: important Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for kdelibs. CVE-2008-1671: | 1. Systems affected: | | start_kdeinit of KDE 3.x as of KDE 3.5.5 or newer. KDE 4.0 | and newer is not affected. Only Linux platform is affected. | | | 2. Overview: | | start_kdeinit is a wrapper to launch kdeinit with a lower OOM | score on Linux. This helper is used to ensure that a | single KDE application triggering the Linux kernel OOM killer | does not kill the whole KDE session. By default, | start_kdeinit is installed as setuid root. The start_kdeinit | processing of user-influenceable input is faulty. | | 3. Impact: | | If start_kdeinit is installed as setuid root, a local user | might be able to send unix signals to other processes, cause | a denial of service or even possibly execute arbitrary code. Note, the mitre site did not yet put this on their website, this is from the upstream advisory: http://www.kde.org/info/security/advisory-20080426-2.txt Patch: ftp://ftp.kde.org/pub/kde/security_patches/post-kde-3.5.5-kinit.diff If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see:  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1671 http://security-tracker.debian.net/tracker/CVE-2008-1671 -- Nico Golde - http://www.ngolde.de - email@example.com - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Description: PGP signature