Debians sikkerhedsbulletin

DSA-155-1 kdelibs -- privatlivsindbrud med Konqueror

Rapporteret den:
17. aug 2002
Berørte pakker:
kdelibs
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 5410.
I Mitres CVE-ordbog: CVE-2002-0970.
Yderligere oplysninger:

På grund af en forglemmelse ved implementeringen af sikkerhed, kontrollerer SSL-biblioteket fra KDE, som Konqueror bruger, ikke hvorvidt et mellemliggende certifikat til en forbindelse er signeret af certificeringsmyndigheden som værende sikker til formålet, men accepterer certifikatet hvis det er signeret. Dette gør det muligt for enhver med et gyldigt websteds-SSL-certifikat fra VeriSign at forfalske ethvert andet websteds-SSL-certifikat fra VeriSign, og dermed udnytte brugere af Konqueror.

En lokal root-udnyttelse ved hjælp af artsd er opdaget, den udnytter en usikker brug af en format-streng. Udnyttelsen fungerer ikke på Debian-systemer, da artsd ikke kører setuid root. Hverken artsd eller artswrapper behøver at være setuid root mere, da nuværende computersystemer er hurtige nok til at håndtere lyddataene uden vanskeligheder.

Disse problemer er rettet i version 2.2.2-13.woody.2 i den aktuelle stabile distribution (woody). Den gamle stabile distribution (potato) er ikke påvirket, da den ikke indeholder KDE-pakker. I den ustabile distribution (sid), er problemet ikke rettet endnu, men nye pakker forventes senere og den rettede version vil være 2.2.2-14 eller højere.

Vi anbefaler at du opgraderer dine kdelibs og libarts-pakker og genstarter Konqueror.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.2.dsc
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.2.diff.gz
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2.orig.tar.gz
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-doc_2.2.2-13.woody.2_all.deb
Alpha:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_ia64.deb
HP Precision:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.