In some instances KDE fails to properly quote parameters of instructions passed to a command shell for execution.
These parameters may incorporate data such as URLs, filenames and e-mail addresses, and this data may be provided remotely to a victim in an e-mail, a webpage or files on a network file system or other untrusted source.
By carefully crafting such data an attacker might be able to execute arbitary commands on a vulnerable system using the victim's account and privileges.
The KDE Project is aware of several possible ways to exploit these vulnerabilities and is releasing this advisory with patches to correct the issues. The patches also provide better safe guards and check data from untrusted sources more strictly in multiple places.
Credit:
The information has been provided by Dirk Mueller.
Vulnerable systems:
* All KDE 2 releases and all KDE 3 releases (up to and including KDE 3.0.5).
Impact:
The vulnerabilities potentially enable local or remote attackers to compromise the privacy of a victim's data and to execute arbitrary shell commands with the victim's privileges, such as erasing files or accessing or modifying data.
Solution:
The code audit resulted in several fixes which have been applied to the KDE 2.2.x and each KDE 3.x branch.
All identified problems have been corrected in KDE 3.0.5a. For affected KDE 3.0 systems, we strongly recommend upgrading to this latest stable release.
Please visit the 3.0.5a Info Page (http://www.kde.org/info/3.0.5a.html) and your vendor's website for exact package locations and information about available binary packages or updates.
For affected KDE 2 systems, a patch for the 2.2.2 source code has been made available which fixes these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages.
Timeline and credits:
11/26/2002 FozZy of the "Hackademy Audit Project" notified the KDE Security Team about vulnerable code parts.
11/27/2002 Patches for the initially reported vulnerabilities were applied to KDE CVS.
11/27/2002 An audit of KDE CVS was started to find more instances of the problematic code sequences.
12/06/2002 KDE 3.1 release was delayed because the audit was not yet finished.
12/17/2002 Patches for KDE 2.2.2 were created.
12/20/2002 KDE 3.0.5a tar balls were generated and released.
12/21/2002 Public Security Advisory by the KDE Security team.
