Fwd: ISSalert: ISS Security Advisory: KDE K-Mail File Creation Vulnerability

[Roy Kidder <rkidder ocom com>]

FYI, for those who may not have heard about this one. I got this from
another mailing list as is evident by the headers.


>Delivered-To: alert-out-link iss net
>Delivered-To: alert-out iss net
>Date: Wed, 9 Jun 1999 16:16:41 -0400 (EDT)
>From: X-Force <xforce iss net>
>To: alert iss net
>cc: X-Force <xforce iss net>
>Subject: ISSalert: ISS Security Advisory: KDE K-Mail File Creation 
>Vulnerability
>Sender: owner-alert iss net
>Reply-To: X-Force <xforce iss net>
>X-Loop: alert
>
>
>TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
>majordomo iss net  Contact alert-owner iss net for help with any problems!
>---------------------------------------------------------------------------
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>ISS Security Advisory
>June 9, 1999
>
>KDE K-Mail File Creation Vulnerability
>
>Synopsis:
>
>Internet Security Systems (ISS) X-Force has discovered a vulnerability in
>KDE's K-Mail mail user agent software. KDE is a very popular window manager
>available for most Unix platforms, and provides an easy-to-use interface and
>a number of graphical front ends to common command-line Unix applications.
>K-Mail contains a vulnerability that may allow local attackers to compromise
>the UID of whoever is running K-Mail. The mail client creates insecure
>temporary directories that are used to store MIME encoded files.
>
>Affected Versions:
>
>ISS X-Force has confirmed that this vulnerability exists on version 1.1 of
>KDE window management software.
>
>To determine if you are vulnerable, run the KDE Control Center application
>and see if the version of KDE reported is 1.1 or earlier.
>
>Description:
>
>When K-Mail receives an e-mail with attachments, it creates a directory to
>store the attachments. K-Mail does not verify that the directory already
>exists, and is willing to follow symbolic links, allowing local attackers to
>create files with the contents they choose in any directory writable by the
>user executing K-Mail. If K-Mail is run as root, unauthorized superuser
>access may be obtained.
>
>Fix Information:
>
>KDE has a patch that addresses this vulnerability. It can be retrieved at:
>
>ftp://ftp.kde.org/pub/kde/security_patches/kmail-security-patch.diff
>
>Additional Information:
>
>Information in this advisory was obtained by the research of Brian Mitchell
>bmitchell iss net  ISS X-Force would like to thank Stefan Taferner, Markus
>Wuebben, and the entire KDE organization for their rapid response to this
>vulnerability.
>
>________
>
>Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is
>hereby granted for the electronic redistribution of this Security Alert.
>It is not to be edited in any way without express consent of the X-Force.
>If you wish to reprint the whole or any part of this Alert Summary in any
>other medium excluding electronic medium, please e-mail xforce iss net for
>permission
>
>About ISS
>ISS is the pioneer and leading provider of adaptive network security
>software delivering enterprise-wide information protection solutions. ISS'
>award-winning SAFEsuite family of products enables information risk
>management within intranet, extranet and electronic commerce environments.
>By combining proactive vulnerability detection with real-time intrusion
>detection and response, ISS' adaptive security approach creates a flexible
>cycle of continuous security improvement, including security policy
>implementation and enforcement. ISS SAFEsuite solutions strengthen the
>security of existing systems and have dramatically improved the security
>posture for organizations worldwide, making ISS a trusted security advisor
>for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks
>and over 35 governmental agencies. For more information, call ISS at
>678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.
>
>Disclaimer
>The information within this paper may change without notice. Use of this
>information constitutes acceptance for use in an AS IS condition. There
>are NO warranties with regard to this information. In no event shall the
>author be liable for any damages whatsoever arising out of or in
>connection with the use or spread of this information. Any use of this
>information is at the user's own risk.
>
>X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as
>well as on MIT's PGP key server and PGP.com's key server.
>
>Please send suggestions, updates, and comments to:
>X-Force <xforce iss net> of Internet Security Systems, Inc.
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3a
>Charset: noconv
>
>iQCVAwUBN17KEjRfJiV99eG9AQFoKwQAr+KcaxMp3mfYo7THfT02+XS7FS6fiMzk
>PX1y5fVSoArxqbDnjCkDlmCNrXgI+1Di+ppma3TYJdyemEZfylNeic3WHaCrIcg6
>ntZ1Q4/EgnXmC0dPEK/wugGuO/WWLPKww7m1HYnt3sAwVTN5VOYQtdrBXR2XtBnY
>1Tt8b5HVqCw=
>=Qv9+
>-----END PGP SIGNATURE-----
>