[dot] Security: Advisories for DCOP and Konqueror
Dot Stories
stories at kdenews.org
Wed Mar 16 13:41:45 CET 2005
URL: http://dot.kde.org/1110976625/
From: Waldo Bastian <bastian at kde.org>
Dept: 3.4-is-around-the-corner
Date: Wednesday 16/Mar/2005, @13:37
Security: Advisories for DCOP and Konqueror
===========================================
Three KDE security advisories [http://www.kde.org/info/security/]
have been released today that address minor problems that were brought
to the attention of the KDE security team over the last few months. All
these issues have been fixed in KDE 3.4, for older KDE versions patches
are available from ftp://ftp.kde.org/pub/kde/security_patches.
The SUSE security team alerted us that a malicious local user can
lock up the dcopserver of arbitrary other users on the same machine
[http://www.kde.org/info/security/advisory-20050316-1.txt] by stalling
the DCOP authentication process. A problem that affected all browsers
that support International Domain Names (IDN) and that has been widely
publicized already is that the IDN support makes Konqueror vulnerable
to a phishing technique known as a Homograph attack
[http://www.kde.org/info/security/advisory-20050316-2.txt]. This problem
has been solved by only supporting IDN in those domains for which the
domain registrar enforces a homographic character policy. The
dcopidlng script is vulnerable to symlink attacks
[http://www.kde.org/info/security/advisory-20050316-3.txt], potentially
allowing a malicious local user to overwrite arbitrary files of a user
when the script is run on behalf of that user. This only affects users
who compile KDE or KDE applications themselves.
More information about the dot-stories
mailing list