Debians sikkerhedsbulletin

DSA-238-1 kdepim -- flere sårbarheder

Rapporteret den:
23. jan 2003
Berørte pakker:
kdepim
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2002-1393.
Yderligere oplysninger:

KDE-teamet har opdaget flere sårbarheder i K Desktop Environment. I nogle tilfælde får KDE ikke indsat citationstegn omkring instuktionsparametre som overføres til kommandoshell'en til udførelse. Disse parametre kan indeholde data såsom URL'er, filnavne og e-mail-adresser, og disse data kan blive leveret udefra til offeret i en e-mail, en webside, filer på et netværksfilsystem eller en anden kilde man ikke kan stole på.

Ved omhyggeligt at fremstille sådanne data, kan en angriber opnå mulighed for at udføre vilkårlige kommandoer på et sårbart system, ved hjælp af offerets konto og rettigheder. KDE-projektet kender ikke til udnyttelser af disse sårbarheder. Rettelserne sørger også for bedre sikkerhedsforanstaltninger, og udfører mange steder grundigere kontroller af data, der er modtaget fra kilder man ikke kan stole på.

I den aktuelle stabile distribution (woody) er disse problemer rettet i version 2.2.2-5.2.

Den gamle stabile distribution (potato) indeholder ikke KDE-pakker.

I den ustabile distribution (sid) er det overvejende sandsynligt at disse problemer ikke vil blive rettet, men der forventes nye KDE 3.1-pakker i sid i år.

Vi anbefaler at du opgraderer dine KDE-pakker.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:
http://security.debian.org/pool/updates/main/k/kdepim/kdepim_2.2.2-5.2.dsc
http://security.debian.org/pool/updates/main/k/kdepim/kdepim_2.2.2-5.2.diff.gz
http://security.debian.org/pool/updates/main/k/kdepim/kdepim_2.2.2.orig.tar.gz
Alpha:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_alpha.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_arm.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_i386.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_ia64.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_ia64.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_m68k.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_mips.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_s390.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/k/kdepim/kandy_2.2.2-5.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-dev_2.2.2-5.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdepim/kdepim-libs_2.2.2-5.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdepim/korganizer_2.2.2-5.2_sparc.deb
http://security.debian.org/pool/updates/main/k/kdepim/kpilot_2.2.2-5.2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.