‘KDE KGet Insecure File Operation Vulnerability’
‘The information has been provided by Stefan Cornelius.
The original article can be found at: http://secunia.com/secunia_research/2010-70/‘
* KDE 4.4.2 (KGet 2.4.2)
The vulnerability is caused by KGet downloading files without the user’s acknowledgment, overwriting existing files of the same name when displaying a dialog box that allows a user to choose the file to download out of the options offered by a metalink file.
Apply patches for the 4.3 and 4.4 branches committed to the KDE Subversion repository.
30/04/2010 – Vendor notified.
02/05/2010 – Vendor response.
13/05/2010 – Public disclosure.’