Säkerhetsbulletin från Debian

DSA-388-1 kdebase -- flera sårbarheter

Rapporterat den:
2003-09-19
Berörda paket:
kdebase
Sårbara:
Ja
Referenser i säkerhetsdatabaser:
I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 8635, BugTraq-id 8636.
I Mitres CVE-förteckning: CVE-2003-0690, CVE-2003-0692.
Ytterligare information:

Två sårbarheter har upptäckts i kdebase:

  • CAN-2003-0690:

    KDM i KDE 3.1.3 och tidigare verifierar inte huruvida funktionsanropet pam_setcred lyckas eller inte, vilket kan göra det möjligt för angripare att uppnå rootprivilegier genom att utlösa feltillstånd inuti PAM-modulen, något som demonstreras i vissa konfigurationer av MIT pam_krb5-modulen.

  • CAN-2003-0692:

    KDM i KDE 3.1.3 och tidigare använder en svag algoritm för att generera sessionskakor, vilken inte tillhandahåller 128 bitars entropi, vilket gör det möjligt för angripare att gissa sessionskakor via råstyrkemetoder och uppnå tillgång till användarens session.

Dessa sårbarheter beskrivs i följande säkerhetsbulletin från KDE:

http://www.kde.org/info/security/advisory-20030916-1.txt

För den nuvarande stabila utgåvan (Woody) har dessa problem rättats i version 4:2.2.2-14.7.

För den instabila utgåvan (Sid) kommer dessa problem att rättas inom kort.

Vi rekommenderar att ni uppgraderar ert kdebase-paket.

Rättat i:

Debian GNU/Linux 3.0 (woody)

Källkod:
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7.dsc
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7.diff.gz
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2.orig.tar.gz
Arkitekturoberoende komponent:
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-doc_2.2.2-14.7_all.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdewallpapers_2.2.2-14.7_all.deb
Alpha:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_alpha.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_arm.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_i386.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_ia64.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_hppa.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_m68k.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_mips.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_s390.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/k/kdebase/kate_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-audiolibs_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-dev_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdebase-libs_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kdm_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konqueror_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/konsole_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/kscreensaver_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq-dev_2.2.2-14.7_sparc.deb
http://security.debian.org/pool/updates/main/k/kdebase/libkonq3_2.2.2-14.7_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.