[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#478024: marked as done (kdelibs: CVE-2008-1671 start_kdeinit multiple vulnerabilities)

Your message dated Sun, 27 Apr 2008 18:32:10 +0000
with message-id <E1JqBfW-0007Yy-TB@ries.debian.org>
and subject line Bug#478024: fixed in kdelibs 4:3.5.9.dfsg.1-4
has caused the Debian Bug report #478024,
regarding kdelibs: CVE-2008-1671 start_kdeinit multiple vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
478024: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478024
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: kdelibs
Severity: important
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kdelibs.


CVE-2008-1671[0]:
| 1. Systems affected:
| 
|     start_kdeinit of KDE 3.x as of KDE 3.5.5 or newer. KDE 4.0
|     and newer is not affected. Only Linux platform is affected.
| 
| 
| 2. Overview:
| 
|     start_kdeinit is a wrapper to launch kdeinit with a lower OOM
|     score on Linux. This helper is used to ensure that a
|     single KDE application triggering the Linux kernel OOM killer
|     does not kill the whole KDE session. By default,
|     start_kdeinit is installed as setuid root. The start_kdeinit
|     processing of user-influenceable input is faulty.
| 
| 3. Impact:
| 
|     If start_kdeinit is installed as setuid root, a local user
|     might be able to send unix signals to other processes, cause
|     a denial of service or even possibly execute arbitrary code.

Note, the mitre site did not yet put this on their website, this is
from the upstream advisory:
http://www.kde.org/info/security/advisory-20080426-2.txt

Patch:
ftp://ftp.kde.org/pub/kde/security_patches/post-kde-3.5.5-kinit.diff


If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1671
    http://security-tracker.debian.net/tracker/CVE-2008-1671

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgp7k0nDarfu5.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: kdelibs
Source-Version: 4:3.5.9.dfsg.1-4

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-data_3.5.9.dfsg.1-4_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.5.9.dfsg.1-4_all.deb
kdelibs-dbg_3.5.9.dfsg.1-4_amd64.deb
  to pool/main/k/kdelibs/kdelibs-dbg_3.5.9.dfsg.1-4_amd64.deb
kdelibs4-dev_3.5.9.dfsg.1-4_amd64.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.5.9.dfsg.1-4_amd64.deb
kdelibs4-doc_3.5.9.dfsg.1-4_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.5.9.dfsg.1-4_all.deb
kdelibs4c2a_3.5.9.dfsg.1-4_amd64.deb
  to pool/main/k/kdelibs/kdelibs4c2a_3.5.9.dfsg.1-4_amd64.deb
kdelibs_3.5.9.dfsg.1-4.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.5.9.dfsg.1-4.diff.gz
kdelibs_3.5.9.dfsg.1-4.dsc
  to pool/main/k/kdelibs/kdelibs_3.5.9.dfsg.1-4.dsc
kdelibs_3.5.9.dfsg.1-4_all.deb
  to pool/main/k/kdelibs/kdelibs_3.5.9.dfsg.1-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 478024@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fathi Boudra <fabo@debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 27 Apr 2008 17:26:36 +0200
Source: kdelibs
Binary: kdelibs kdelibs-data kdelibs4c2a kdelibs4-dev kdelibs4-doc kdelibs-dbg
Architecture: source all amd64
Version: 4:3.5.9.dfsg.1-4
Distribution: unstable
Urgency: low
Maintainer: Fathi Boudra <fabo@debian.org>
Changed-By: Fathi Boudra <fabo@debian.org>
Description: 
 kdelibs    - core libraries from the official KDE release
 kdelibs-data - core shared data for all KDE applications
 kdelibs-dbg - debugging symbols for kdelibs
 kdelibs4-dev - development files for the KDE core libraries
 kdelibs4-doc - developer documentation for the KDE core libraries
 kdelibs4c2a - core libraries and binaries for all KDE applications
Closes: 476896 478024
Changes: 
 kdelibs (4:3.5.9.dfsg.1-4) unstable; urgency=low
 .
   * Add 03_start_kdeinit_integer_overflow.diff patch to fix a security
     advisory: CVE-2008-1671 start_kdeinit multiple vulnerabilities.
     (Closes: #478024)
   * Add 05_kate_debianchangelog_default_context_r799980 patch to give a name
     to the default context in kate debian changelog/control support.
     Thanks to Pino Toscano.
   * Add 06_khtml_rendering_r786289 patch to fix khtml crash when rendering some
     pages. (Closes: #476896)
Checksums-Sha1: 
 e5eba9163ae28fe738583c305a701fb2a50d03a1 2254 kdelibs_3.5.9.dfsg.1-4.dsc
 97e95d113ea3d93994b584d754b8caa386dcd9c9 419378 kdelibs_3.5.9.dfsg.1-4.diff.gz
 51945b49fe725cc3e0478b1d804fffb780c33e20 28658 kdelibs_3.5.9.dfsg.1-4_all.deb
 5939f9cda3b0b6c3e02252de2bd834b30184e898 8681032 kdelibs-data_3.5.9.dfsg.1-4_all.deb
 e89ba91679a22dd181377a3e9563251442c9bb05 26369202 kdelibs4-doc_3.5.9.dfsg.1-4_all.deb
 37a2f60244dfc402f42978f2565546c51f4a8b0b 10804570 kdelibs4c2a_3.5.9.dfsg.1-4_amd64.deb
 4c89ef166af13b7947d85f9e87fd2f4b71aab8df 1443656 kdelibs4-dev_3.5.9.dfsg.1-4_amd64.deb
 3bc08df3841d24c8328d8d0fbdb66031e1983d19 26765858 kdelibs-dbg_3.5.9.dfsg.1-4_amd64.deb
Checksums-Sha256: 
 e2356a3b7a32d4111cedf81ac3515678761c409d0063e7e03559c63fef68562c 2254 kdelibs_3.5.9.dfsg.1-4.dsc
 a7af39e99ad28546a8e2d815f27a1a77368bc000bbbc4ab8288650d9635b70ca 419378 kdelibs_3.5.9.dfsg.1-4.diff.gz
 7578878845f08b403273443bcfd0bed63c279e2832e01d34304ef143a93ed8d1 28658 kdelibs_3.5.9.dfsg.1-4_all.deb
 d02489e91e714194e18503b30c5e4642763551d7aa69fb9c0a821b993932d7ff 8681032 kdelibs-data_3.5.9.dfsg.1-4_all.deb
 4c244de4551f5d065f2fea6a4e10344bd7914f0303c791c81e8a36dc171b982d 26369202 kdelibs4-doc_3.5.9.dfsg.1-4_all.deb
 8d0ab34a41b2a5ac89339e704172b674491d5afad6a52f690d6ef9d547b65801 10804570 kdelibs4c2a_3.5.9.dfsg.1-4_amd64.deb
 76fe751d5c3a594e551bdc655d946f10319893e11c635116317500044bcbe5d2 1443656 kdelibs4-dev_3.5.9.dfsg.1-4_amd64.deb
 91381a6a3413a3be7611e7909353ad5cee1fde29c8699d98741cb00cacfaa159 26765858 kdelibs-dbg_3.5.9.dfsg.1-4_amd64.deb
Files: 
 70d89b10345c7130282900f48e15ced1 2254 libs optional kdelibs_3.5.9.dfsg.1-4.dsc
 374c6a191f307772e9d445a47e759a1e 419378 libs optional kdelibs_3.5.9.dfsg.1-4.diff.gz
 c81b78c3cbd331ff1463e6ae6b9127d0 28658 libs optional kdelibs_3.5.9.dfsg.1-4_all.deb
 f6507735d813db16034ad5c7d4bb9e72 8681032 libs optional kdelibs-data_3.5.9.dfsg.1-4_all.deb
 eaf324b77315e1f7ddf361a622975151 26369202 doc optional kdelibs4-doc_3.5.9.dfsg.1-4_all.deb
 a0bab1ae01daf524d56c84140926b0ee 10804570 libs optional kdelibs4c2a_3.5.9.dfsg.1-4_amd64.deb
 af68d21fcdfd7378d816248983b16bae 1443656 libdevel optional kdelibs4-dev_3.5.9.dfsg.1-4_amd64.deb
 ae44470034450ec56ea392877ff3943b 26765858 libdevel extra kdelibs-dbg_3.5.9.dfsg.1-4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBSBTAJ4z1NfZqpXL3AQLTOAP/e3wYyncOeph2vvoI47LuZfELQIvTOj/p
AVLkgwo5/J2R6qqUAGji+L0OJ6EaAyxv40xX0lnAzo85q3eTI7h455JymRHo8smf
vbx8oNLR9ISChbwHrPT/pfAhAHBz2vcF9aS+wNzzWQIzXioCHCf/+Zs/VhJDE1qM
szcMLVhVmkg=
=GcVa
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: