Debian: 'kdelibs' Privacy escalation

    Date21 Aug 2002
    CategoryDebian
    2312
    Posted ByLinuxSecurity Advisories
    Due to a security engineering oversight, the SSL library from KDE,which Konqueror uses, doesn't check whether an intermediatecertificate for a connection is signed by the certificate authority assafe for the purpose, but accepts it when it is signed.
    
    --------------------------------------------------------------------------
    Debian Security Advisory DSA 155-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/ Martin Schulze
    August 17th, 2002                        http://www.debian.org/security/faq
    --------------------------------------------------------------------------
    
    Package        : kdelibs
    Vulnerability  : privacy escalation with Konquerer
    Problem-Type   : remote and local
    Debian-specific: no
    
    Due to a security engineering oversight, the SSL library from KDE,
    which Konqueror uses, doesn't check whether an intermediate
    certificate for a connection is signed by the certificate authority as
    safe for the purpose, but accepts it when it is signed.  This makes it
    possible for anyone with a valid VeriSign SSL site certificate to
    forge any other VeriSign SSL site certificate, and abuse Konqueror
    users.
    
    A local root exploit using artsd has been discovered which exploited
    an insecure use of a format string.  The exploit wasn't working on a
    Debian system since artsd wasn't running setuid root.  Neither artsd
    nor artswrapper need to be setuid root anymore since current computer
    systems are fast enuogh to handle the audio data in time.
    
    Theese problems have been fixed in version 2.2.2-13.woody.2 for the
    current stable stable distribution (woody).  The old stable
    distribution (potato) is not affected, since it doesn't contain KDE
    packages.  The unstable distribution (sid) is not yet fixed, but new
    packages are expected in the future, the fixed version will be version
    2.2.2-14 or higher.
    
    We recommend that you upgrade your kdelibs and libarts packages and
    restart Konquerer.
    
    wget url
    	will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.0 alias woody
    --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.2.dsc
    Size/MD5 checksum:     1353 6d3afab0283f8ed78182cc4cd589e3aa
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.2.diff.gz
    Size/MD5 checksum:    37757 a275d8046f3e3e55667999a9cee8da11
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2.orig.tar.gz
    Size/MD5 checksum:  6396699 7a9277a2e727821338f751855c2ce5d3
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_alpha.deb
    Size/MD5 checksum:  7531410 f4bc703fb176dbbddbd6bbe49804ba83
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_alpha.deb
    Size/MD5 checksum:   137240 190891a3c0fef082ccf13773edba2421
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_alpha.deb
    Size/MD5 checksum:  1019270 486bd20490b9719224e196d4a841d929
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_arm.deb
    Size/MD5 checksum:  6587724 62dd551e38d7d05a10582a93476ad004
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_arm.deb
    Size/MD5 checksum:   103294 8c220ecf60463fdaa7d760b63b66dcaa
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_arm.deb
    Size/MD5 checksum:   649542 92942b23b750c5a35e85799be75a0b74
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_i386.deb
    Size/MD5 checksum:  6617430 93a871489d1a1f32383b0c0514545a1a
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_i386.deb
    Size/MD5 checksum:   104714 b289a9eb6b4533ae251c774e608fad7a
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_i386.deb
    Size/MD5 checksum:   622918 dd63dcfcf246d68dd7290203ec728bb9
    
      Intel IA-64 architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_ia64.deb
    Size/MD5 checksum:  8839684 3b3e75ab35d4f1ad784501dd846f47e2
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_ia64.deb
    Size/MD5 checksum:   152264 16b2767335efd8b9be6ce0c4e53591e4
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_ia64.deb
    Size/MD5 checksum:  1043554 aef7406f318114957c138f0c73e995b5
    
      HP Precision architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_hppa.deb
    Size/MD5 checksum:  7343042 9598ffafb15f6f475c9d968e7379a6f0
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_hppa.deb
    Size/MD5 checksum:   116182 fef2669769195ae7a0fffc8af9b3e4a6
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_hppa.deb
    Size/MD5 checksum:  1108370 e0451bccbfd2607437fd533a4289577a
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_m68k.deb
    Size/MD5 checksum:  6482780 25eea2c82ce16c02c70c20b9e8e84ed3
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_m68k.deb
    Size/MD5 checksum:   102350 339f2012e6d948ccdc72e86ab0c9707d
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_m68k.deb
    Size/MD5 checksum:   626630 43d5e7580584ba1180be6d1931d7162a
    
      Big endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_mips.deb
    Size/MD5 checksum:  6282488 02b0ed0c55873d7dd3e164c14803bad0
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_mips.deb
    Size/MD5 checksum:   105688 c4b304e33706f8c403ddd2fd7abdb4fb
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_mips.deb
    Size/MD5 checksum:   618968 042b025250637c2c20685426b4aa9940
    
      Little endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_mipsel.deb
    Size/MD5 checksum:  6188974 75e0cb5f0accf3a19332ada0c8493d40
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_mipsel.deb
    Size/MD5 checksum:   104638 996725d47377ddd8c3cd61e9812b8503
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_mipsel.deb
    Size/MD5 checksum:   611868 00c1a37f7d7c73bdc905981bcc604c0f
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_powerpc.deb
    Size/MD5 checksum:  6725896 186a74697ee20bac21ebfbd136a2d94a
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_powerpc.deb
    Size/MD5 checksum:   104784 33b024d9470b9f35c2c8a102d45f617b
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_powerpc.deb
    Size/MD5 checksum:   689064 3a4da07fdfd1d68e64384a88bc136ad2
    
      IBM S/390 architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_s390.deb
    Size/MD5 checksum:  6662796 9b1eeb84d8d6434691be1c6525c3724e
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_s390.deb
    Size/MD5 checksum:   107204 9776b47d7a6422aebb5429d8db10121a
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_s390.deb
    Size/MD5 checksum:   630562 2bd1ae83bb772d2d69a414ecc7c41612
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_sparc.deb
    Size/MD5 checksum:  6578464 f13e301c02ad68abca4463a2647967b3
         http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_sparc.deb
    Size/MD5 checksum:   116494 7509215017a945ba715d77851ebad64c
         http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_sparc.deb
    Size/MD5 checksum:   662558 af629316aeec854052127c29a8c0d99c
    
    
      Please note that the kdelibs source package produces more binary
      packages than the ones listed above, which are note relevant for the
      fixed problems, though.
    
      These files will probably be moved into the stable distribution on
      its next revision.
    
    ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.