[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-announce
Subject: [kde-announce]ANNOUNCE: KDbg 1.2.9 (Security fix)
From: Johannes Sixt <johannes.sixt () telecom ! at>
Date: 2003-09-07 19:23:04
[Download RAW message or body]
I've released KDbg 1.2.9, which fixes the security flaw that 1.2.8 was
supposed to fix, but did not. It is available for download from the usual
locations, see http://members.nextra.at/johsixt/kdbgdownload.html
The problem was that KDbg did not check the permissions of the program
specific session files (.kdbgrc files), which store the breakpoint locations
among other things. These files are stored in the directory that also
contains the program being debugged. If a program is located in a
world-writable location, it is possible for a different user to inject
malicious commands that are executed with the permission of the user running
KDbg.
All versions between 1.1.0 and 1.2.8 (inclusive) (as well as all development
versions) are affected. There is no known work-around, so you are strongly
advised to upgrade to 1.2.9.
The fix will be integrated in the development version, but a new release is
delayed until the important feature that I'm currently working on is ready
(editing variable values) - this will take a few weeks. For production work
please use the stable version.
Changelog:
- The previous security fix only protects against accidents, not attacks,
as Matt Zimmerman pointed out. Did it right this time.
- Fixed charset in the Russian translation (thanks to Alexander Kogan).
-- Johannes Sixt
_______________________________________________
kde-announce mailing list
kde-announce@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic