Stay Secure with the Latest Linux Advisories

security advisorycriticalslackware

Slackware 12.0 KDM Login Spoofing Critical Fix - 2007-264-01

New kdebase packages are available for Slackware 12.0 to fix security issues. A long URL padded with spaces could be used to display a false URL in Konqueror's addressbar, and KDM when used with no-password login could be tricked into logging a different user in without a password. This . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] kdebase, kdelibs (SSA:2007-264-01) New kdebase packages are available for Slackware 12.0 to fix security issues. A long URL padded with spaces could be used to display a false URL in Konqueror's addressbar, and KDM when used with no-password login could be tricked into logging a different user in without a password. This is not the way KDM is configured in Slackware by default, somewhat mitigating the impact of this issue. More details about the issues may be found here: https://www.cve.org/CVERecord?id=CVE-2007-3820 https://www.cve.org/CVERecord?id=CVE-2007-4224 https://www.cve.org/CVERecord?id=CVE-2007-4225 https://kde.org/info/security/advisory-20070919-1.txt https://www.cve.org/CVERecord?id=CVE-2007-4569 https://www.cve.org/CVERecord?id=CVE-2007-4225 Here are the details from the Slackware 12.0 ChangeLog: +--------------------------+ patches/packages/kdebase-3.5.7-i486-3_slack12.0.tgz: Patched Konqueror to prevent "spoofing" the URL (i.e. displaying a URL other than the one associated with the page displayed) For more information, see: https://www.cve.org/CVERecord?id=CVE-2007-3820 https://www.cve.org/CVERecord?id=CVE-2007-4224 https://www.cve.org/CVERecord?id=CVE-2007-4225 Patched KDM issue: "KDM can be tricked into performing a password-less login even for accounts with a password set under certain circumstances, namely autologin to be configured and "shutdown with password" enabled." For more information, see: https://kde.org/info/security/advisory-20070919-1.txt https://www.cve.org/CVERecord?id=CVE-2007-4569 (* Security fix *) patches/packages/kdelibs-3.5.7-i486-3_slack12.0.tgz: Patched Konqueror's supporting libraries to prevent addressbar spoofing. For more information, see: https://www.cve.org/CVERecord?id=CVE-2007-4225 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ HINT: Getting slow download speeds from ftp.slackware.com? Give slackware.osuosl.org a try. This is another primary FTP site for Slackware that can be considerably faster than downloading directly from ftp.slackware.com. Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating additional FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated packages for Slackware 12.0: ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/kdebase-3.5.7-i486-3_slack12.0.tgz MD5 signatures: +-------------+ Slackware 12.0 packages: 467ac64778e2a72334b4ac13ff6f3e98 kdebase-3.5.7-i486-3_slack12.0.tgz 13d4eeb321c922503e8edc49f40e95f4 kdelibs-3.5.7-i486-3_slack12.0.tgz Installation instructions: +------------------------+ Upgrade the packages as root: # upgradepkg kdelibs-3.5.7-i486-3_slack12.0.tgz kdebase-3.5.7-i486-3_slack12.0.tgz +-----+ . Recent updates to kdebase and kdelibs packages resolve significant security vulnerabilities in Slackware, bolstering system protection.. KDM Security Fix,KDE Library Update,Slackware 12.0,Security Issue Fixes,Addressbar Spoofing. . Severity: Critical. LinuxSecurity.com Team

Sep 22, 2007 •Critical Slackware