From listmaster@locutus.calderasystems.com Thu Jun 10 13:35:44 1999 From: listmaster@locutus.calderasystems.com To: announce@lists.calderasystems.com Date: 10 Jun 1999 16:29:01 -0000 Reply-To: info@calderasystems.com Subject: Security Advisory 16 -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: security vulnerability in kmail Advisory number: CSSA-1999:016.0 Issue date: 1999 June 10 Cross reference: ______________________________________________________________________________ 1. Problem Description There is a security vulnerability in kmail, the KDE mail reader. The bug allows a local user A to trick kmail user B into overwriting arbitary files owned by B. When displaying a MIME-enhanced mail message, kmail saves the decoded parts into a temporary directory. This directory is not created safely, and hence an attacker can use symbolic links to change the destination where kmail stores its temporary files. 2. Vulnerable Versions Systems: OpenLinux 1.3, 2.2 Packages: previous to kdenetwork-1.1.1-2 3. Solutions Upgrade to the latest kdenetwork-1.1.1-2 rpm -U kdenetwork-1.1.1-2.i386.rpm 4. Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.2/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.2/current/SRPMS 5. Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -U kdenetwork-1.1.1-2.i386.rpm 6. Verification 5d83e25901b60cf72d7e11987efc3057 kdenetwork-1.1.1-2.i386.rpm 5307d3c43f356bc09064d68ad0815fc1 kdenetwork-1.1.1-2.src.rpm 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/news/security/index.html The original security advisory by Internet Security Systems can be found at: http://www.geek-girl.com/bugtraq/1999_2/0685.html This security fix closes Caldera's internal Problem Report 4620 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBN1/E+en+9R4958LpAQGpwAP/bANoBL1A//0PpY7QYEHHw/FPFGvkQWJa WjTul2qmuwCI0Rt87l5l9CKn7t6IMCadMm2Rcr+AinipRe3PPXGv+WisLv4Ix85R R5OSgV9qKQKQQuCxBbs3A2c1ksezjpbiqFpsfyJHNsSWbBUlO6XWFpJkjW2KXGZa En7z/vIdc6g= =FF2F -----END PGP SIGNATURE----- -- Note: To learn how to use this list server, email a "help" command to majordomo@lists.calderasystems.com.