Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-367-1 kdelibs

Debian Security Advisory

DLA-367-1 kdelibs -- LTS security update

Date Reported:

10 Dec 2015

Affected Packages:

kdelibs

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-7543.

More information:

It has been reported that kdelibs uses the insecure mktemp() function to create the temporary directory it uses to host user-specific sockets. It is thus possible for another user to hijack this temporary directory and gain socket accesses it should not have.

In Debian 6 Squeeze, this issue has been addressed in kdelibs 3.5.10.dfsg.1-5+deb6u1 with the use of the safer mkdtemp() function. We recommend that you upgrade your kdelibs packages.

Other Debian releases have newer versions of the libraries (kdelibs4) that are not affected by this problem.