From kde-announce Sun Sep 07 19:23:04 2003 From: Johannes Sixt Date: Sun, 07 Sep 2003 19:23:04 +0000 To: kde-announce Subject: [kde-announce]ANNOUNCE: KDbg 1.2.9 (Security fix) X-MARC-Message: https://marc.info/?l=kde-announce&m=106296509815092 I've released KDbg 1.2.9, which fixes the security flaw that 1.2.8 was supposed to fix, but did not. It is available for download from the usual locations, see http://members.nextra.at/johsixt/kdbgdownload.html The problem was that KDbg did not check the permissions of the program specific session files (.kdbgrc files), which store the breakpoint locations among other things. These files are stored in the directory that also contains the program being debugged. If a program is located in a world-writable location, it is possible for a different user to inject malicious commands that are executed with the permission of the user running KDbg. All versions between 1.1.0 and 1.2.8 (inclusive) (as well as all development versions) are affected. There is no known work-around, so you are strongly advised to upgrade to 1.2.9. The fix will be integrated in the development version, but a new release is delayed until the important feature that I'm currently working on is ready (editing variable values) - this will take a few weeks. For production work please use the stable version. Changelog: - The previous security fix only protects against accidents, not attacks, as Matt Zimmerman pointed out. Did it right this time. - Fixed charset in the Russian translation (thanks to Alexander Kogan). -- Johannes Sixt _______________________________________________ kde-announce mailing list kde-announce@mail.kde.org http://mail.kde.org/mailman/listinfo/kde-announce