SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   KDE Vendors:   KDE.org
KDE DCOP Bug Lets Local Users Deny Service
SecurityTracker Alert ID:  1013453
SecurityTracker URL:  http://securitytracker.com/id/1013453
CVE Reference:   CAN-2005-0396   (Links to External Site)
Date:  Mar 16 2005
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.4
Description:   A denial of service vulnerability was reported in the KDE Desktop Communication Protocol (DCOP) daemon. A local user can cause the dcopserver to hang.

A local user can stall the DCOP authentication process to cause the dcopserver, which may be used by other users on the system, to lock up. Desktop functionality such as browsing and launching applications may be adversely and signifcantly affected.

The vendor was notified on February 21, 2005.

Sebastian Krahmer of the SUSE LINUX Security Team reported this vulnerability.
Impact:   A local user can cause the dcopserver to hang, which may affected desktop functionality such as browsing and launching applications for other users.
Solution:   A fixed version (3.4) has been issued.

A patch for KDE 3.1.x is available from ftp://ftp.kde.org/pub/kde/security_patches

377c49d8224612fbf09f70f3c09d52f5 post-3.1.5-kdelibs-dcop.patch

A patch for KDE 3.2.x is available from ftp://ftp.kde.org/pub/kde/security_patches

0948701bffb082c65784dc8a2b648ef0 post-3.2.3-kdelibs-dcop.patch

A patch for KDE 3.3.x is available from ftp://ftp.kde.org/pub/kde/security_patches

7309e259ae1f29be08bbb70e580da3fb post-3.3.2-kdelibs-dcop.patch
Vendor URL:  www.kde.org/info/security/advisory-20050316-1.txt (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 23 2005 (Fedora Issues Fix) KDE DCOP Bug Lets Local Users Deny Service   (Than Ngo <than@redhat.com>)
Fedora has released a fix.


 Source Message Contents
Date:  Wed, 16 Mar 2005 09:08:57 -0500
Subject:  http://www.kde.org/info/security/advisory-20050316-1.txt



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

KDE Security Advisory: Local DCOP denial of service vulnerability
Original Release Date: 20050316
URL: http://www.kde.org/info/security/advisory-20050316-1.txt

0. References
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0396


1. Systems affected:

        All KDE version prior to KDE 3.4 on systems where multiple users
        have access.


2. Overview:

        Sebastian Krahmer of the SUSE LINUX Security Team reported a local
        denial of service vulnerability in KDE's Desktop Communication
        Protocol (DCOP) daemon better known as dcopserver.

        A local user can lock up the dcopserver of arbitrary other users
        on the same machine by stalling the DCOP authentication process.

        Although it is not possible to by pass the authentication process
        this way, it can cause a significant reduction in desktop
        functionality for the affected users.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2005-0396 to this issue.

      
3. Impact:

        A local user can lock up the dcopserver of arbitrary other users
        on the same machine. This can cause a significant reduction in
        desktop functionality for the affected users including, but not
        limited to, the inability to browse the internet and the inability
        to start new applications.


4. Solution:

        Upgrade to KDE 3.4.

        For older versions of KDE Source code patches have been made
        available which fix these vulnerabilities. Contact your OS vendor /
        binary package provider for information about how to obtain updated
        binary packages.


5. Patch:

        A patch for KDE 3.1.x is available from
        ftp://ftp.kde.org/pub/kde/security_patches

        377c49d8224612fbf09f70f3c09d52f5  post-3.1.5-kdelibs-dcop.patch

        A patch for KDE 3.2.x is available from
        ftp://ftp.kde.org/pub/kde/security_patches

        0948701bffb082c65784dc8a2b648ef0  post-3.2.3-kdelibs-dcop.patch

        A patch for KDE 3.3.x is available from
        ftp://ftp.kde.org/pub/kde/security_patches

        7309e259ae1f29be08bbb70e580da3fb  post-3.3.2-kdelibs-dcop.patch


6. Time line and credits:

        21/02/2005 KDE Security informed by SUSE LINUX.
        21/02/2005 Patches applied to KDE CVS.
        02/03/2005 Vendors notified
        16/03/2005 KDE Security Advisory released.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCOBbvN4pvrENfboIRAsQvAJ9FM5bL5Df4JgklNr3v5u6uOdLUDACeLBTE
s+amHw7dStDCkECtiKr5G5U=
=TiOt
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC