Gentoo alert: KDE Personal Information Management Suite Remote Buffer Overflow Vulnerability

Posted by dave on Apr 6, 2004 10:26 AM EDT
Mailing list; By Aida Escriva-Sammer <aescriva@gentoo.org>
Mail this story
Print this story

KDE-PIM may be vulnerable to a remote buffer overflow attack that may allow unauthorized access to an affected system.

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7E514526CD80DFBC5184F2E3
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200404-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High Title: KDE Personal Information Management Suite Remote Buffer Overflow Vulnerability Date: April 06, 2004 Bugs: #38256 ID: 200404-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis ========

KDE-PIM may be vulnerable to a remote buffer overflow attack that may allow unauthorized access to an affected system.

Background ==========

KDE-PIM is an application suite designed to manage mail, addresses, appointments, and contacts.

Affected packages =================

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- kde-base/kde <= 3.1.4 >= 3.1.5

Description ===========

A buffer overflow may occur in KDE-PIM's VCF file reader when a maliciously crafted VCF file is opened by a user on a vulnerable system.

Impact ======

A remote attacker may unauthorized access to a user's personal data or execute commands with the user's privileges.

Workaround ==========

A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package.

Resolution ==========

KDE users should upgrade to version 3.1.5 or later:

# emerge sync

# emerge -pv ">=kde-base/kde-3.1.5" # emerge ">=kde-base/kde-3.1.5"

References ==========

[ 1 ] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0988

Concerns? =========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [e-mail:security@gentoo.org] or alternatively, you may file a bug at http://bugs.gentoo.org.

--------------enig7E514526CD80DFBC5184F2E3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAcvFwR3HmQU0NEeoRAn6jAKCKGcuZJkdrT1w1R4Jzn27arktxmwCfW6Nt jYN05Zcw0RPxOpB7Ozl/I6E= =83Gl -----END PGP SIGNATURE-----

--------------enig7E514526CD80DFBC5184F2E3--

[PARSEASHTML]

  Nav
» Read more about: Story Type: Security; Groups: Gentoo

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.