[prev in list] [next in list] [prev in thread] [next in thread]
List: caldera-announce
Subject: Security Advisory 16
From: listmaster () locutus ! calderasystems ! com
Date: 1999-06-10 16:29:01
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: security vulnerability in kmail
Advisory number: CSSA-1999:016.0
Issue date: 1999 June 10
Cross reference:
______________________________________________________________________________
1. Problem Description
There is a security vulnerability in kmail, the KDE mail reader.
The bug allows a local user A to trick kmail user B into overwriting
arbitary files owned by B.
When displaying a MIME-enhanced mail message, kmail saves the decoded
parts into a temporary directory. This directory is not created safely,
and hence an attacker can use symbolic links to change the destination
where kmail stores its temporary files.
2. Vulnerable Versions
Systems: OpenLinux 1.3, 2.2
Packages: previous to kdenetwork-1.1.1-2
3. Solutions
Upgrade to the latest kdenetwork-1.1.1-2
rpm -U kdenetwork-1.1.1-2.i386.rpm
4. Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.2/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.2/current/SRPMS
5. Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -U kdenetwork-1.1.1-2.i386.rpm
6. Verification
5d83e25901b60cf72d7e11987efc3057 kdenetwork-1.1.1-2.i386.rpm
5307d3c43f356bc09064d68ad0815fc1 kdenetwork-1.1.1-2.src.rpm
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/news/security/index.html
The original security advisory by Internet Security Systems can be
found at:
http://www.geek-girl.com/bugtraq/1999_2/0685.html
This security fix closes Caldera's internal Problem Report 4620
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of the
information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBN1/E+en+9R4958LpAQGpwAP/bANoBL1A//0PpY7QYEHHw/FPFGvkQWJa
WjTul2qmuwCI0Rt87l5l9CKn7t6IMCadMm2Rcr+AinipRe3PPXGv+WisLv4Ix85R
R5OSgV9qKQKQQuCxBbs3A2c1ksezjpbiqFpsfyJHNsSWbBUlO6XWFpJkjW2KXGZa
En7z/vIdc6g=
=FF2F
-----END PGP SIGNATURE-----
--
Note: To learn how to use this list server, email a "help" command to
majordomo@lists.calderasystems.com.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic