From: Ozgur Karatas (ozgur@ozgurkaratas.com)
Date: Thu 15 Jun 2006 - 08:57:59 GMT
olmasa sasardim. ayrica bilgilendirdigin icin tesekkur ederim usta..
selamlar,
> 0. References
>
> CVE-2006-2449
>
>
> 1. Systems affected:
>
> KDM as shipped with KDE 3.2.0 up to including 3.5.3. KDE 3.1.x and
> older and newer versions than KDE 3.5.3 are not affected.
>
>
> 2. Overview:
>
> KDM allows the user to select the session type for login. This
> setting is permanently stored in the user home directory. By
> using a symlink attack, KDM can be tricked into allowing the
> user to read file content that would otherwise be unreadable
> to this particular user. This vulnerability was discovered
> and reported by Ludwig Nussel.
>
>
> 3. Impact:
>
> KDM might allow a normal user to read the content of /etc/shadow
> or other files, which allows compromising the privacy of another
> user or even the security of the whole system.
>
> 4. Solution:
>
> Source code patches have been made available which fix these
> vulnerabilities. Contact your OS vendor / binary package provider
> for information about how to obtain updated binary packages.
>
>
> 5. Patch:
>
> A patch for KDE 3.4.0 - KDE 3.5.3 is available from
> ftp://ftp.kde.org/pub/kde/security_patches :
>
> 9daecff07d57dabba35da247e752916a post-3.5.0-kdebase-kdm.diff
>
> A patch for KDE 3.3.x is available from
> ftp://ftp.kde.org/pub/kde/security_patches :
>
> f2e1424d97f2cd18674bef833274c5e3 post-3.3.0-kdebase-kdm.diff
>
> A patch for KDE 3.2.x is available from
> ftp://ftp.kde.org/pub/kde/security_patches :
>
> 8aa6b41cccca4216c6eb1cf705c2370a post-3.2.0-kdebase-kdm.diff
>
> --
> �mer Fadıl USTA
> http://www.bilisimlab.com/
,''`. Ozgur Karatas
: :' : ozgur@ozgurkaratas.com
`. `' http://www.ozgurkaratas.com
`- Powered By GNU\Linux
_______________________________________________
Linux mailing list
Linux@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux