[KDbg-l] ANNOUNCE: KDbg 1.2.8 (Security fix)
Brought to you by:
j6t
From: Johannes S. <joh...@te...> - 2003-06-23 19:04:33
|
I've released KDbg 1.2.8, which fixes a security flaw (and which is the only noteworthy change). It is available for download from the usual locations, see http://members.nextra.at/johsixt/kdbgdownload.html The problem was that KDbg did not check the permissions of the program specific session files (.kdbgrc files), which store the breakpoint locations among other things. These files are stored in the directory that also contains the program being debugged. If a program is located in a world-writable location, it is possible for a different user to inject malicious commands that are executed with the permission of the user running KDbg. All versions between 1.1.0 and 1.2.7 (inclusive) (as well as all development versions identifying themselves as 1.9.0) are affected. There is no known work-around, so you are strongly advised to upgrade to 1.2.8. I have also posted a fix to the development version, which is at 1.9.1 now. This version is available from the CVS, see the link above. -- Johannes Sixt |