ISS X-Force Database: kde-kmail(2265): KDE Kmail application allows local compromise of the UID of users reading mail

KDE Kmail application allows local compromise of the UID of users reading mail

kde-kmail (2265)

High Risk

Description:

A vulnerability with the kmail application distributed in the kdenetwork package could allow a local attacker to compromise the UID of another user running this program.

Platforms Affected:

KDE, K Desktop Environment (KDE) 1.1
RedHat, Linux 6.0
SCO, Caldera OpenLinux 1.3
SCO, Caldera OpenLinux 2.2

Remedy:

This problem exists in the Kmail package distributed through KDE 1.1. Upgrade to the latest Kmail package (version 1.1.2 or later), available from the KDE Web site. See References. Unless you have a version-specific requirement, it is best to use the latest stable version.

For Caldera OpenLinux:
Upgrade to the latest version of kdenetwork (1.1.1-2 or later), as listed in Caldera Systems, Inc. Security Advisory CSSA-1999-016.0. See References.

For Red Hat Linux:
Upgrade to KDE 1.1.1 final, as listed in RHSA-1999:015-01. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Privileges

References:

Caldera International, Inc. Security Advisory CSSA-1999-016.0, security vulnerability in kmail at ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-1999:016.0.txt.
Internet Security Systems Security Alert #27, KDE K-Mail File Creation Vulnerability at http://www.iss.net/xforce/alerts/id/advise27.
KDE Web site, KDE-1.1.2 versus KDE-1.1.1 List of problems fixed and features added at http://www.kde.org/announcements/changelog1_1_1to1_1_2.html.
RHSA-1999:015-01, KDE update for Red Hat Linux 6.0 at http://rhn.redhat.com/errata/RHSA-1999-015.html.
BID-300: KDE K-Mail File Creation Vulnerability
CVE-1999-0735: KDE K-Mail allows local users to gain privileges via a symlink attack in temporary user directories.

Reported:

Jun 09, 1999

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page