From: Davide Madrisan <davide.madrisan@qilinux.it.>
To: bugtraq@securityfocus.com
Subject: insecure temporary file creation in kdelibs 3.3.2
Date: Fri, 11 Feb 2005 09:16:38 +0100
User-Agent: KMail/1.7.2
MIME-Version: 1.0
Content-Type: multipart/signed;
boundary="nextPart2438405.WZZcDvR8QJ";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200502110916.48921.davide.madrisan@qilinux.it.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
--nextPart2438405.WZZcDvR8QJ
Content-Type: text/plain;
charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
The `dcopidlng' script in the KDE library package=20
(kdelibs-3.3.2/dcop/dcopidlng/dcopidlng)
creates temporary files in a unsecure manner.
This bug has been fixed in 32 minutes (!) by Stephan Kulow, the KDE team=20
leader. Here you can found the official patch:
http://bugs.kde.org/show_bug.cgi?id=3D97608
Note: This bug has been find by `autospec', the work-in-progress tool used =
by=20
the QiLinux team to (semi)automatically create specfiles from tarballs and=
=20
update/check rpm packages. It's released under GPL and not QiLinux specific.
The latest release can be found at the URL:
ftp://ftp.qilinux.it/pub/QiLinux/devel/tools/autospec/
#include <best/regards.h>
=2D--
Davide Madrisan
QiLinux Security Team Leader
PGP keyID: 4B72B0B9 fp: 2B79 BFF1 EE33 EE8C 3258 E43C CDA8 EFF3 4B72 B0B9
PGP public key: <http://pgp.mit.edu/>;
http://www.qilinux.it
--nextPart2438405.WZZcDvR8QJ
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQBCDGnwzajv80tysLkRAue5AJ9URfELO5YrD4poMJVd2rYF3Y8OFQCfYWgu
Kfp1X4bwxqiEK/hsHfQf//s=
=PARd
-----END PGP SIGNATURE-----
--nextPart2438405.WZZcDvR8QJ--
