Aviso de seguridad de Debian

DSA-388-1 kdebase -- varias vulnerabilidades

Fecha del informe:
19 de sep de 2003
Paquetes afectados:
kdebase
Vulnerable:
Referencias a bases de datos de seguridad:
En la base de datos de Bugtraq (en SecurityFocus): Id. en BugTraq 8635, Id. en BugTraq 8636.
En el diccionario CVE de Mitre: CVE-2003-0690, CVE-2003-0692.
Información adicional:

Se han descubierto dos vulnerabilidades en kdebase:

  • CAN-2003-0690:

    KDM en KDE 3.1.3 y anteriores no verificaba si la llamada a la función pam_setcred terminaba con éxito, lo que podía permitir a los atacantes remotos obtener privilegios de root provocando condiciones de error en los módulos PAM, como se demostró con ciertas configuraciones del módulo del MIT pam_krb5.

  • CAN-2003-0692:

    KDM en KDE 3.1.3 y anteriores usaba un algoritmo débil de generación de cookie de sesión que no proporcionaba 128 bits de entropía, lo que permitía que los atacantes averiguaran las cookies de sesión por medio de métodos de fuerza bruta y obtuvieran acceso a la sesión del usuario.

Estas vulnerabilidades están descritas en los siguientes avisos de seguridad de KDE:

http://www.kde.org/info/security/advisory-20030916-1.txt

Para la distribución estable actual (woody), estos problemas se han corregido en la versión 4:2.2.2-14.7.

Para la distribución inestable (sid), estos problemas se corregirán en breve.

Le recomendamos que actualice el paquete kdebase.

Arreglado en:

Debian GNU/Linux 3.0 (woody)

Fuentes:
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7.dsc
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7.diff.gz
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2.orig.tar.gz
Componentes independientes de la arquitectura:
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-doc_2.2.2-14.7_all.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdewallpapers_2.2.2-14.7_all.deb
Alpha:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_sparc.deb

Las sumas MD5 de los ficheros que se listan están disponibles en el aviso original.