‘KDE KGet Insecure File Operation Vulnerability’
Summary
‘
Credit:
‘The information has been provided by Stefan Cornelius.
The original article can be found at: http://secunia.com/secunia_research/2010-70/‘
Details
‘Vulnerable Systems:
* KDE 4.4.2 (KGet 2.4.2)
The vulnerability is caused by KGet downloading files without the user’s acknowledgment, overwriting existing files of the same name when displaying a dialog box that allows a user to choose the file to download out of the options offered by a metalink file.
Patch Availability:
Apply patches for the 4.3 and 4.4 branches committed to the KDE Subversion repository.
CVE Information:
CVE-2010-1511
Disclosure Timeline:
30/04/2010 – Vendor notified
02/05/2010 – Vendor response
13/05/2010 – Public disclosure’