[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1156-1] New kdebase packages fix information disclosure

Regarding :

> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1156-1                    security@debian.org
> http://www.debian.org/security/                         Moritz Muehlenhoff
> August 27th, 2006                       http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
> 
> Package        : kdebase 
> Vulnerability  : programming error
> Problem-Type   : local
> Debian-specific: no
> CVE ID         : CVE-2006-2449
> Debian Bug     : 374002
> 
> Ludwig Nussel discovered that kdm, the X display manager for KDE, handles
> access to the session type configuration file insecurely, which may lead
> to the disclosure of arbitrary files through a symlink attack.

For interest, can anyone explain why a problem with kdm leads to the
need to reissue so many KDE packages ?

Neither http://bugs.debian.org/374002, nor
http://www.kde.org/info/security/advisory-20060614-1.txt shed any
light

e.g.
>   Intel IA-32 architecture:
> 
>     http://security.debian.org/pool/updates/main/k/kdebase/kappfinder_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   238552 3315f3726ec7bcc2b2336264ee1d6113
>     http://security.debian.org/pool/updates/main/k/kdebase/kate_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   582412 58f81b8e2a85b4ac2590d04c339d57b5
>     http://security.debian.org/pool/updates/main/k/kdebase/kcontrol_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:  7662460 90981f72d4368fc940a4fa1a7e4f64f9
>     http://security.debian.org/pool/updates/main/k/kdebase/kdebase-bin_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   954376 0d21ac76ee892b4801720136a0b33900
>     http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:    57230 ec1cb3381a3f4afe7b382c5f8ff55199
>     http://security.debian.org/pool/updates/main/k/kdebase/kdebase-kio-plugins_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   697440 5efafc13c4ce1614666158bd570ec74d
>     http://security.debian.org/pool/updates/main/k/kdebase/kdepasswd_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   223118 3bebac40feaeb0e466af26f7067b1fab
>     http://security.debian.org/pool/updates/main/k/kdebase/kdeprint_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:  1063596 c73e53fe6e2374184af490c79a07eb99
>     http://security.debian.org/pool/updates/main/k/kdebase/kdesktop_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   680672 a7ac569bad33ed7bc8419c33aaef8996
>     http://security.debian.org/pool/updates/main/k/kdebase/kdm_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   417326 1c502f75f0661242ddbeac4791f1b7f8
>     http://security.debian.org/pool/updates/main/k/kdebase/kfind_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   178908 65dddbcbccd904145e4020e64d942ff3
>     http://security.debian.org/pool/updates/main/k/kdebase/khelpcenter_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   711378 e9ea7945ee02963a7c916a3e545e62b0
>     http://security.debian.org/pool/updates/main/k/kdebase/kicker_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:  2175624 4008eb9c4bbd5360a4eeb8e46b4e50c2
>     http://security.debian.org/pool/updates/main/k/kdebase/klipper_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   205020 165b654e57f1d35a31fa152a24afa0cb
>     http://security.debian.org/pool/updates/main/k/kdebase/kmenuedit_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   200970 abc1503a3850d65f6ff91f880acf348d
>     http://security.debian.org/pool/updates/main/k/kdebase/konqueror_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:  2239890 91e2886a7e2e420a0d8f3eb95fb27f6d
>     http://security.debian.org/pool/updates/main/k/kdebase/konqueror-nsplugins_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   123316 079c71fbc6ccd53960d019e41fbf6ad2
>     http://security.debian.org/pool/updates/main/k/kdebase/konsole_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   568180 ef6532f854c54bfcc50acd3f0569e0b8
>     http://security.debian.org/pool/updates/main/k/kdebase/kpager_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:    94712 8f71942e5f28d466b1e1bec4844619f0
>     http://security.debian.org/pool/updates/main/k/kdebase/kpersonalizer_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   468770 289a16d56ac2df3bc0f5a6b5d30db912
>     http://security.debian.org/pool/updates/main/k/kdebase/ksmserver_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   121494 e368bade4131851262de00f57453645c
>     http://security.debian.org/pool/updates/main/k/kdebase/ksplash_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   802022 64e6b973ac208ec943d2e2cc45a16ce9
>     http://security.debian.org/pool/updates/main/k/kdebase/ksysguard_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   479926 6dd986c5507b79bbe6c0cdb560752a70
>     http://security.debian.org/pool/updates/main/k/kdebase/ksysguardd_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:    49048 4a89bfd14874d413415fd5b6f8356599
>     http://security.debian.org/pool/updates/main/k/kdebase/ktip_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:    79680 966842fe7926161702a92f1907ec309c
>     http://security.debian.org/pool/updates/main/k/kdebase/kwin_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   854870 5cf7be0a787c73b26fc3c7161a1de866
>     http://security.debian.org/pool/updates/main/k/kdebase/libkonq4_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:   249494 2b43b65830f35ea3619ff8596340031d
>     http://security.debian.org/pool/updates/main/k/kdebase/libkonq4-dev_3.3.2-1sarge3_i386.deb
>       Size/MD5 checksum:    44922 d07fda73f6365a4470db2ac21030c906

Cheers,
Nick Boyce
Bristol, UK
-- 
'If you don't pray in my school, I won't think in your church'
Reply to: