[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 193-1] New klisa packages fix buffer overflow

On Mon, Nov 11, 2002 at 06:07:40PM +0100, Martin Schulze scrawled:
> iDEFENSE reports a security vulnerability in the klisa package, that
> provides a LAN information service similar to "Network Neighbourhood",
> which was discovered by Texonet.  It is possible for a local attacker
> to exploit a buffer overflow condition in resLISa, a restricted
> version of KLISa.  The vulnerability exists in the parsing of the
> LOGNAME environment variable, an overly long value will overwrite the
> instruction pointer thereby allowing an attacker to seize control of
> the executable.
> This problem has been fixed in version 2.2.2-14.2 the current stable
> distribution (woody) and in version 2.2.2-14.3 for the unstable
> distribution (sid).  The old stable distribution (potato) is not
> affected since it doesn't contain a kdenetwork package

KDE 3.0.5 packages, including the fixed kdenetwork (and, by extension,
klisa) packages, will start appearing on kde.org roughly Thursday
evening AEST (UTC+10). I've got exams until Thursday, so no sooner.


Daniel Stone 	     <daniel@raging.dropbear.id.au>             <dstone@kde.org>
Developer - http://kopete.kde.org, http://www.kde.org

Attachment: pgpDzMZObL2AS.pgp
Description: PGP signature

Reply to: