‘KDE KGet Insecure File Operation Vulnerability’


A vulnerability was discovered in KDE, which can be exploited by malicious people to bypass certain security features.’


‘The information has been provided by Stefan Cornelius.
The original article can be found at: http://secunia.com/secunia_research/2010-70/


Vulnerable Systems:
 * KDE 4.4.2 (KGet 2.4.2)

The vulnerability is caused by KGet downloading files without the user’s acknowledgment, overwriting existing files of the same name when displaying a dialog box that allows a user to choose the file to download out of the options offered by a metalink file.

Patch Availability:
Apply patches for the 4.3 and 4.4 branches committed to the KDE Subversion repository.

CVE Information:

Disclosure Timeline:
30/04/2010 – Vendor notified.
02/05/2010 – Vendor response.
13/05/2010 – Public disclosure.’

Categories: UNIX