KDE start_kdeinit: Multiple vulnerabilities
1.
Gentoo Linux Security Advisory
Version Information
Advisory Reference |
GLSA 200804-30 / kdelibs |
Release Date |
April 29, 2008 |
Latest Revision |
April 08, 2009: 02 |
Impact |
high |
Exploitable |
local |
Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
kde-base/kdelibs |
<
4.0 |
revision >=
3.5.8-r4,
revision >=
3.5.9-r3,
>
4.0,
<
3.5.5,
revision >=
3.5.10-r2 |
All supported architectures
|
Related bugreports:
#218933
Synopsis
Multiple vulnerabilities in start_kdeinit could possibly allow a local
attacker to execute arbitrary code with root privileges.
2.
Impact Information
Background
KDE is a feature-rich graphical desktop environment for Linux and
Unix-like operating systems. start_kdeinit is a wrapper for kdeinit.
Description
Vulnerabilities have been reported in the processing of user-controlled
data by start_kdeinit, which is setuid root by default.
Impact
A local attacker could possibly execute arbitrary code with root
privileges, cause a Denial of Service or send Unix signals to other
processes, when start_kdeinit is setuid root.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All kdelibs users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kdelibs-3.5.8-r4"
|
4.
References
|