LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page KDE Security Advisory: Konqueror Java Vulnerability
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-21-2004, 02:39 PM   #1
C0NIk
LQ Newbie
 
Registered: Oct 2003
Posts: 25

Rep: Reputation: 15
KDE Security Advisory: Konqueror Java Vulnerability

when i was searching for a new ver of KDE i found this @ KDE Security link


KDE Security Advisory: Konqueror Java Vulnerability
Original Release Date: 2004-12-20
URL: http://www.kde.org/info/security/adv...20041220-1.txt

0. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2004-1145
http://www.heise.de/security/dienste...sts/java.shtml

1. Systems affected:

All versions of KDE up to KDE 3.3.1 inclusive. KDE 3.3.2 is not
affected.


2. Overview:

Two flaws in the Konqueror webbrowser make it possible to by pass
the sandbox environment which is used to run Java-applets.
One flaw allows access to restricted Java classes via JavaScript,
making it possible to escalate the privileges of the Java-applet.
The other problem is that Konqueror fails to correctly restrict
access to certain Java classes from the Java-applet itself.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-1145 to this issue.


3. Impact:

When a user has Java enabled in Konqueror and visits a malicious
website, the website can run a Java-applet and obtain escalated
privileges allowing reading and writing of arbitrary files with
the privileges of the user.


4. Solution:

Upgrade to KDE 3.3.2

A backport has been made available for older versions which fixes
this vulnerability. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.


5. Patch:

For KDE 3.2.3 a backport of the new Java handling is available from
ftp://ftp.kde.org/pub/kde/security_patches :

7fc001d010c640738ed7d2fe347f002d post-3.2.3-kdelibs-khtml-java.tar.bz2


6. Time line and credits:

24/11/2004 security@kde.org contacted by heise Security
29/11/2004 Fixed in KDE CVS by Koos Vriezen
14/12/2004 Backport for KDE 3.2.3
20/12/2004 KDE Advisory released
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security: Java plugin vulnerability!! peacebwitchu Linux - Security 0 11-25-2004 05:48 PM
Konqueror and Java problem in KDE 3.2 stonehurstX11 Mandriva 6 04-27-2004 07:22 PM
Slackware Security Advisory php Linux - Security 0 11-04-2003 09:44 PM
OpenSSH - Major Security Vulnerability jeremy Linux - Security 9 06-27-2002 09:36 PM
Red Hat Security Advisory Aussie Linux - Security 0 02-28-2002 12:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:01 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration