Re: [SECURITY] [DSA 815-1] New kdebase packages fix local root vulnerability
Hallo,
On Fri, 16 Sep 2005 15:21:45 +0200 (CEST)
joey@infodrom.org (Martin Schulze) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> -
> ---------------------------------------------------------------------
> ----- Debian Security Advisory DSA 815-1
> security@debian.org http://www.debian.org/security/
> Martin Schulze
> September 16th, 2005
> http://www.debian.org/security/faq
> -
> ---------------------------------------------------------------------
> -----
>
> Package : kdebase
> Vulnerability : programming error
> Problem type : local
> Debian-specific: no
> CVE ID : CAN-2005-2494
>
> Ilja van Sprundel discovered a serious lock file handling error in
> kcheckpass that can, in some configurations, be used to gain root
> access.
>
> The old stable distribution (woody) is not affected by this problem.
>
> For the stable distribution (sarge) this problem has been fixed in
> version 3.3.2-1sarge1.
>
> For the unstable distribution (sid) this problem has been fixed in
> version 3.4.2-3.
>
> We recommend that you upgrade your kdebase-bin package.
Leider sind auf den Debian-FTP-Servern zwar die entsprechenden Pakete
vorhanden, in der Packages-Datei sind aber immer noch die alten,
fehlerhaften Pakete aufgelistet. Daher werden durch ein apt-get
dist-upgrade die neuen Pakete nicht installiert.
Mit freundlichen Grüßen
Christoph Pleger
Reply to: