[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-announce
Subject:    [kde-announce]ANNOUNCE: KDbg 1.2.9 (Security fix)
From:       Johannes Sixt <johannes.sixt () telecom ! at>
Date:       2003-09-07 19:23:04
[Download RAW message or body]

I've released KDbg 1.2.9, which fixes the security flaw that 1.2.8 was 
supposed to fix, but did not. It is available for download from the usual 
locations, see http://members.nextra.at/johsixt/kdbgdownload.html

The problem was that KDbg did not check the permissions of the program 
specific session files (.kdbgrc files), which store the breakpoint locations 
among other things. These files are stored in the directory that also 
contains the program being debugged. If a program is located in a 
world-writable location, it is possible for a different user to inject 
malicious commands that are executed with the permission of the user running 
KDbg.

All versions between 1.1.0 and 1.2.8 (inclusive) (as well as all development 
versions) are affected. There is no known work-around, so you are strongly 
advised to upgrade to 1.2.9.

The fix will be integrated in the development version, but a new release is 
delayed until the important feature that I'm currently working on is ready 
(editing variable values) - this will take a few weeks. For production work 
please use the stable version.

Changelog:

- The previous security fix only protects against accidents, not attacks,
  as Matt Zimmerman pointed out. Did it right this time.

- Fixed charset in the Russian translation (thanks to Alexander Kogan).

-- Johannes Sixt

_______________________________________________
kde-announce mailing list
kde-announce@mail.kde.org
http://mail.kde.org/mailman/listinfo/kde-announce
[prev in list] [next in list] [prev in thread] [next in thread]