[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#478024: kdelibs: CVE-2008-1671 start_kdeinit multiple vulnerabilities



Package: kdelibs
Severity: important
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kdelibs.


CVE-2008-1671[0]:
| 1. Systems affected:
| 
|     start_kdeinit of KDE 3.x as of KDE 3.5.5 or newer. KDE 4.0
|     and newer is not affected. Only Linux platform is affected.
| 
| 
| 2. Overview:
| 
|     start_kdeinit is a wrapper to launch kdeinit with a lower OOM
|     score on Linux. This helper is used to ensure that a
|     single KDE application triggering the Linux kernel OOM killer
|     does not kill the whole KDE session. By default,
|     start_kdeinit is installed as setuid root. The start_kdeinit
|     processing of user-influenceable input is faulty.
| 
| 3. Impact:
| 
|     If start_kdeinit is installed as setuid root, a local user
|     might be able to send unix signals to other processes, cause
|     a denial of service or even possibly execute arbitrary code.

Note, the mitre site did not yet put this on their website, this is
from the upstream advisory:
http://www.kde.org/info/security/advisory-20080426-2.txt

Patch:
ftp://ftp.kde.org/pub/kde/security_patches/post-kde-3.5.5-kinit.diff


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1671
    http://security-tracker.debian.net/tracker/CVE-2008-1671

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpZO2SjbqZUV.pgp
Description: PGP signature


Reply to: