Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 45520 Details for
Bug 72804
kde-base/kdebase: Konqueror SMB share password disclosure
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Draft Advisory
advisory-20041208-1.txt (text/plain), 2.38 KB, created by
Caleb Tennis (RETIRED)
on 2004-12-08 04:44:54 UTC
(
hide
)
Description:
Draft Advisory
Filename:
MIME Type:
Creator:
Caleb Tennis (RETIRED)
Created:
2004-12-08 04:44:54 UTC
Size:
2.38 KB
patch
obsolete
> >KDE Security Advisory: plain text password disclosure >Original Release Date: 2004-12-08 >URL: http://www.kde.org/info/security/advisory-20041208-1.txt > >0. References > > http://www.sec-consult.com/index.php?id=118 > > >1. Systems affected: > > All KDE 3.2.x releases, KDE 3.3.0, KDE 3.3.1 and KDE 3.3.2. > > >2. Overview: > > Daniel Fabian notified the KDE security team about a possible > privacy issue in KDE. When creating a link to a remote file > from various applications including Konqueror, it might happen > that the URL contains the authentication credentials > to access the remote location. This includes but is not > limited to browsing SMB ("Samba") shares. > > The link reference file, which is a file with the extension > ".desktop", is a plain text config file that is created > with default permissions, depending on the users' umask > this could include world read permission. > > The KDE team provides patches which will unconditionally > remove the password from the authentication credentials > before creating the link. The KDE security team recommends > to store the password in KWallet instead, which provides > a convenient way to store passwords securely. > > >3. Impact: > > Passwords to access remote resources can be viewable by other > local users. > > >4. Solution: > > Source code patches have been made available which fix these > vulnerabilities. Contact your OS vendor / binary package provider > for information about how to obtain updated binary packages. > > >5. Patch: > > Patches for KDE 3.3.1 are available from > ftp://ftp.kde.org/pub/kde/security_patches : > > 501852d12f82aebe7eb73ec5d96c9e6d post-3.3.1-kdebase-smb.diff > 5b9c1738f2de3f00533e376eb64c7137 post-3.3.1-kdelibs-khtml.diff > f287c900c637af2452c7a554f2df166f post-3.3.1-kdelibs-kio.diff > > > Patch for KDE 3.3.2 is available from > ftp://ftp.kde.org/pub/kde/security_patches : > > d3658e90acec6ff140463ed2fd0e7736 post-3.3.2-kdelibs-kio.diff > > > Patches for KDE 3.2.3 are available from > ftp://ftp.kde.org/pub/kde/security_patches : > > d080d9acf4d2abc5f91ccec8fc463568 post-3.2.3-kdebase-smb.diff > d79d1717b4bc0b3891bacaaf37deade0 post-3.2.3-kdelibs-khtml.diff > 94e76ec98cd58ce27cad8f886d241986 post-3.2.3-kdelibs-kio.diff > > > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=45520">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 72804
: 45520 |
45522
|
45523
|
45524
|
45525
|
45526
|
45527
|
45528
