'Security Advisory 16'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       caldera-announce
Subject:    Security Advisory 16
From:       listmaster () locutus ! calderasystems ! com
Date:       1999-06-10 16:29:01
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
		   Caldera Systems, Inc.  Security Advisory

Subject:		security vulnerability in kmail
Advisory number: 	CSSA-1999:016.0
Issue date: 		1999 June 10
Cross reference: 
______________________________________________________________________________


1. Problem Description


   There is a security vulnerability in kmail, the KDE mail reader.
   The bug allows a local user A to trick kmail user B into overwriting
   arbitary files owned by B.

   When displaying a MIME-enhanced mail message, kmail saves the decoded
   parts into a temporary directory. This directory is not created safely,
   and hence an attacker can use symbolic links to change the destination
   where kmail stores its temporary files.

2. Vulnerable Versions

   Systems:     OpenLinux 1.3, 2.2
   Packages:    previous to kdenetwork-1.1.1-2
      
3. Solutions

   Upgrade to the latest kdenetwork-1.1.1-2
   
   rpm -U kdenetwork-1.1.1-2.i386.rpm
   
4. Location of Fixed Packages

   The upgrade packages can be found on Caldera's FTP site at:

   ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.2/current/RPMS/

   The corresponding source code package can be found at:

   ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.2/current/SRPMS


5. Installing Fixed Packages

   Upgrade the affected packages with the following commands:

   rpm -U kdenetwork-1.1.1-2.i386.rpm
   
6. Verification

   5d83e25901b60cf72d7e11987efc3057  kdenetwork-1.1.1-2.i386.rpm
   5307d3c43f356bc09064d68ad0815fc1  kdenetwork-1.1.1-2.src.rpm

7. References

   This and other Caldera security resources are located at:

   http://www.calderasystems.com/news/security/index.html

   The original security advisory by Internet Security Systems can be
   found at:

   http://www.geek-girl.com/bugtraq/1999_2/0685.html
  
   This security fix closes Caldera's internal Problem Report 4620
   
8. Disclaimer

   Caldera Systems, Inc. is not responsible for the misuse of any of the
   information we provide on this website and/or through our security
   advisories. Our advisories are a service to our customers intended to
   promote secure installation and use of Caldera OpenLinux.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBN1/E+en+9R4958LpAQGpwAP/bANoBL1A//0PpY7QYEHHw/FPFGvkQWJa
WjTul2qmuwCI0Rt87l5l9CKn7t6IMCadMm2Rcr+AinipRe3PPXGv+WisLv4Ix85R
R5OSgV9qKQKQQuCxBbs3A2c1ksezjpbiqFpsfyJHNsSWbBUlO6XWFpJkjW2KXGZa
En7z/vIdc6g=
=FF2F
-----END PGP SIGNATURE-----
 --
Note: To learn how to use this list server, email a "help" command to
majordomo@lists.calderasystems.com.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic