On Mon, Nov 11, 2002 at 06:07:40PM +0100, Martin Schulze scrawled: > iDEFENSE reports a security vulnerability in the klisa package, that > provides a LAN information service similar to "Network Neighbourhood", > which was discovered by Texonet. It is possible for a local attacker > to exploit a buffer overflow condition in resLISa, a restricted > version of KLISa. The vulnerability exists in the parsing of the > LOGNAME environment variable, an overly long value will overwrite the > instruction pointer thereby allowing an attacker to seize control of > the executable. > > This problem has been fixed in version 2.2.2-14.2 the current stable > distribution (woody) and in version 2.2.2-14.3 for the unstable > distribution (sid). The old stable distribution (potato) is not > affected since it doesn't contain a kdenetwork package KDE 3.0.5 packages, including the fixed kdenetwork (and, by extension, klisa) packages, will start appearing on kde.org roughly Thursday evening AEST (UTC+10). I've got exams until Thursday, so no sooner. -d -- Daniel Stone <daniel@raging.dropbear.id.au> <dstone@kde.org> Developer - http://kopete.kde.org, http://www.kde.org
Attachment:
pgpcMXMqJjMdX.pgp
Description: PGP signature