Mandrake Linux Security Advisory : kdelibs/kdebase (MDKSA-2004:086)
High Nessus Plugin ID 14335
SynopsisThe remote Mandrake Linux host is missing one or more security updates.
DescriptionA number of vulnerabilities were discovered in KDE that are corrected with these update packages.
The integrity of symlinks used by KDE are not ensured and as a result can be abused by local attackers to create or truncate arbitrary files or to prevent KDE applications from functioning correctly (CVE-2004-0689).
The DCOPServer creates temporary files in an insecure manner. These temporary files are used for authentication-related purposes, so this could potentially allow a local attacker to compromise the account of any user running a KDE application (CVE-2004-0690). Note that only KDE 3.2.x is affected by this vulnerability.
The Konqueror web browser allows websites to load web pages into a frame of any other frame-based web page that the user may have open.
This could potentially allow a malicious website to make Konqueror insert its own frames into the page of an otherwise trusted website (CVE-2004-0721).
The Konqueror web browser also allows websites to set cookies for certain country-specific top-level domains. This can be done to make Konqueror send the cookies to all other web sites operating under the same domain, which can be abused to become part of a session fixation attack. All country-specific secondary top-level domains that use more than 2 characters in the secondary part of the domain name, and that use a secondary part other than com, net, mil, org, gove, edu, or int are affected (CVE-2004-0746).
SolutionUpdate the affected packages.