Alerts This Week
Warning Icon 1 659
Alerts This Week
Warning Icon 1 659

Ubuntu 10.10 USN-1114-1 Critical KGet File Overwrite Risk

Calendar Apr 18, 2011 User Avatar LinuxSecurity Advisories
1 - 2 min read
Ubuntu Large Esm H500
Topics%20covered

Topics Covered

security advisory critical file overwrite Ubuntu KDE input validation KGet
An attacker could overwrite files owned by the user if KGet opened a crafted metalink file. 
=========================================================================Ubuntu Security Notice USN-1114-1
April 18, 2011

kdenetwork vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

An attacker could overwrite files owned by the user if KGet opened a
crafted metalink file.

Software Description:
- kdenetwork: networking applications for KDE 4

Details:

It was discovered that KGet did not properly perform input validation when
processing metalink files. If a user were tricked into opening a crafted
metalink file, a remote attacker could overwrite files via directory
traversal, which could eventually lead to arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  kget                            4:4.5.1-0ubuntu2.2

Ubuntu 10.04 LTS:
  kget                            4:4.4.5-0ubuntu1.1

Ubuntu 9.10:
  kget                            4:4.3.2-0ubuntu4.5

After a standard system update you need to restart KGet to make all the
necessary changes.

References:
  CVE-2011-1586

Package Information:
  https://launchpad.net/ubuntu/+source/kdenetwork/4:4.5.1-0ubuntu2.2
  https://launchpad.net/ubuntu/+source/kdenetwork/4:4.4.5-0ubuntu1.1
  https://launchpad.net/ubuntu/+source/kdenetwork/4:4.3.2-0ubuntu4.5

Ubuntu 10.10 USN-1114-1 Critical KGet File Overwrite Risk

ubuntu
Calendar Grey April 18, 2011
Dist Ubuntu Esm H88
A recently discovered flaw in KDE KGet presents an opportunity for malicious actors to replace user files through specially designed metalink documents on various Ubuntu versions.
An attacker could overwrite files owned by the user if KGet opened a crafted metalink file.

Summary

Topics%20covered

Topics Covered

security advisory critical file overwrite Ubuntu KDE input validation KGet

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 10.10: kget 4:4.5.1-0ubuntu2.2 Ubuntu 10.04 LTS: kget 4:4.4.5-0ubuntu1.1 Ubuntu 9.10: kget 4:4.3.2-0ubuntu4.5 After a standard system update you need to restart KGet to make all the necessary changes.

References

CVE-2011-1586

Severity
critical
Lowest
Low
Medium
High
Critical

April 18, 2011

Topics%20covered

Topics Covered

security advisory critical file overwrite Ubuntu KDE input validation KGet

Package Information

https://launchpad.net/ubuntu/+source/kdenetwork/4:4.5.1-0ubuntu2.2 https://launchpad.net/ubuntu/+source/kdenetwork/4:4.4.5-0ubuntu1.1 https://launchpad.net/ubuntu/+source/kdenetwork/4:4.3.2-0ubuntu4.5

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here