Re: [SECURITY] [DSA 1156-1] New kdebase packages fix information disclosure
Regarding :
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 1156-1 security@debian.org
> http://www.debian.org/security/ Moritz Muehlenhoff
> August 27th, 2006 http://www.debian.org/security/faq
> - --------------------------------------------------------------------------
>
> Package : kdebase
> Vulnerability : programming error
> Problem-Type : local
> Debian-specific: no
> CVE ID : CVE-2006-2449
> Debian Bug : 374002
>
> Ludwig Nussel discovered that kdm, the X display manager for KDE, handles
> access to the session type configuration file insecurely, which may lead
> to the disclosure of arbitrary files through a symlink attack.
For interest, can anyone explain why a problem with kdm leads to the
need to reissue so many KDE packages ?
Neither http://bugs.debian.org/374002, nor
http://www.kde.org/info/security/advisory-20060614-1.txt shed any
light
e.g.
> Intel IA-32 architecture:
>
> http://security.debian.org/pool/updates/main/k/kdebase/kappfinder_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 238552 3315f3726ec7bcc2b2336264ee1d6113
> http://security.debian.org/pool/updates/main/k/kdebase/kate_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 582412 58f81b8e2a85b4ac2590d04c339d57b5
> http://security.debian.org/pool/updates/main/k/kdebase/kcontrol_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 7662460 90981f72d4368fc940a4fa1a7e4f64f9
> http://security.debian.org/pool/updates/main/k/kdebase/kdebase-bin_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 954376 0d21ac76ee892b4801720136a0b33900
> http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 57230 ec1cb3381a3f4afe7b382c5f8ff55199
> http://security.debian.org/pool/updates/main/k/kdebase/kdebase-kio-plugins_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 697440 5efafc13c4ce1614666158bd570ec74d
> http://security.debian.org/pool/updates/main/k/kdebase/kdepasswd_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 223118 3bebac40feaeb0e466af26f7067b1fab
> http://security.debian.org/pool/updates/main/k/kdebase/kdeprint_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 1063596 c73e53fe6e2374184af490c79a07eb99
> http://security.debian.org/pool/updates/main/k/kdebase/kdesktop_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 680672 a7ac569bad33ed7bc8419c33aaef8996
> http://security.debian.org/pool/updates/main/k/kdebase/kdm_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 417326 1c502f75f0661242ddbeac4791f1b7f8
> http://security.debian.org/pool/updates/main/k/kdebase/kfind_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 178908 65dddbcbccd904145e4020e64d942ff3
> http://security.debian.org/pool/updates/main/k/kdebase/khelpcenter_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 711378 e9ea7945ee02963a7c916a3e545e62b0
> http://security.debian.org/pool/updates/main/k/kdebase/kicker_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 2175624 4008eb9c4bbd5360a4eeb8e46b4e50c2
> http://security.debian.org/pool/updates/main/k/kdebase/klipper_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 205020 165b654e57f1d35a31fa152a24afa0cb
> http://security.debian.org/pool/updates/main/k/kdebase/kmenuedit_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 200970 abc1503a3850d65f6ff91f880acf348d
> http://security.debian.org/pool/updates/main/k/kdebase/konqueror_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 2239890 91e2886a7e2e420a0d8f3eb95fb27f6d
> http://security.debian.org/pool/updates/main/k/kdebase/konqueror-nsplugins_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 123316 079c71fbc6ccd53960d019e41fbf6ad2
> http://security.debian.org/pool/updates/main/k/kdebase/konsole_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 568180 ef6532f854c54bfcc50acd3f0569e0b8
> http://security.debian.org/pool/updates/main/k/kdebase/kpager_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 94712 8f71942e5f28d466b1e1bec4844619f0
> http://security.debian.org/pool/updates/main/k/kdebase/kpersonalizer_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 468770 289a16d56ac2df3bc0f5a6b5d30db912
> http://security.debian.org/pool/updates/main/k/kdebase/ksmserver_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 121494 e368bade4131851262de00f57453645c
> http://security.debian.org/pool/updates/main/k/kdebase/ksplash_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 802022 64e6b973ac208ec943d2e2cc45a16ce9
> http://security.debian.org/pool/updates/main/k/kdebase/ksysguard_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 479926 6dd986c5507b79bbe6c0cdb560752a70
> http://security.debian.org/pool/updates/main/k/kdebase/ksysguardd_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 49048 4a89bfd14874d413415fd5b6f8356599
> http://security.debian.org/pool/updates/main/k/kdebase/ktip_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 79680 966842fe7926161702a92f1907ec309c
> http://security.debian.org/pool/updates/main/k/kdebase/kwin_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 854870 5cf7be0a787c73b26fc3c7161a1de866
> http://security.debian.org/pool/updates/main/k/kdebase/libkonq4_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 249494 2b43b65830f35ea3619ff8596340031d
> http://security.debian.org/pool/updates/main/k/kdebase/libkonq4-dev_3.3.2-1sarge3_i386.deb
> Size/MD5 checksum: 44922 d07fda73f6365a4470db2ac21030c906
Cheers,
Nick Boyce
Bristol, UK
--
'If you don't pray in my school, I won't think in your church'
Reply to: