[SECURITY] [DLA 952-1] kde4libs security update

2017-05-25T16:25:46
ID DEBIAN:DLA-952-1:E72E9
Type debian
Reporter Debian
Modified 2017-05-25T16:25:46

Description

Package : kde4libs Version : 4:4.8.4-4+deb7u3 CVE ID : CVE-2013-2074 CVE-2017-6410 CVE-2017-8422 Debian Bug : 856890

Several vulnerabilities were discovered in kde4libs, the core libraries for all KDE 4 applications. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2017-6410

Itzik Kotler, Yonatan Fridburg and Amit Klein of Safebreach Labs
reported that URLs are not sanitized before passing them to
FindProxyForURL, potentially allowing a remote attacker to obtain
sensitive information via a crafted PAC file.

CVE-2017-8422

Sebastian Krahmer from SUSE discovered that the KAuth framework
contains a logic flaw in which the service invoking dbus is not
properly checked. This flaw allows spoofing the identity of the
caller and gaining root privileges from an unprivileged account.

CVE-2013-2074

It was discovered that KIO would show web authentication
credentials in some error cases.

For Debian 7 "Wheezy", these problems have been fixed in version 4:4.8.4-4+deb7u3.

We recommend that you upgrade your kde4libs packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS