Date: 16 Aug 2004 11:48:28 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] KDE Temporary Directory Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
KDE Temporary Directory Vulnerability
------------------------------------------------------------------------
SUMMARY
The SUSE security team was alerted that in some cases the integrity of
symlinks used by KDE are not ensured and that these symlinks can be
pointing to stale locations. This can be abused by a local attacker to
create or truncate arbitrary files or to prevent KDE applications from
functioning correctly (Denial of Service).
KDE creates in ~/.kde symlinks to a temporary directory, a socket
directory and a cache directory. When a user logs into the KDE environment
the startkde script ensures that these symlinks are present and point to
directories that are owned by the user. However, when a user runs KDE
applications outside the KDE environment or when a user runs a KDE
applications as another user, such as root, the integrity of these
symlinks is not checked and it is possible that a previously created but
now stale symlinks exist.
DETAILS
Systems affected:
* All versions of KDE up to KDE 3.2.3 inclusive
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689>;
CAN-2004-0689
Impact:
When a stale symlink is present a local attacker could create the
directory that the symlink is pointing to with his own credentials to
prevent access to this directory by KDE applications. This can prevent KDE
applications from functioning correctly.
When a stale symlink is present a local attacker could create the
directory that the symlink is pointing to with his own credentials. Since
KDE applications will attempt to create files with certain known names in
this directory, an attacker can abuse this to overwrite arbitrary files
with the privileges of the user.
Solution:
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider for
information about how to obtain updated binary packages.
Time line and credits:
23/06/2004 SUSE Security Team alerted by Andrew Tuitt
26/06/2004 Patches created
27/07/2004 Vendors notified
11/08/2004 Public advisory
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Waldo
Bastian.
The original article can be found at:
<http://www.kde.org/info/security/advisory-20040811-1.txt>;
http://www.kde.org/info/security/advisory-20040811-1.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
