KDE Kommander Arbitrary Code Execution Vulnerability

Filed under
KDE
Security

Eckhart Wörner has reported a vulnerability in KDE, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a design error in Kommander, as it executes data files containing scripts without user confirmation.

Successful exploitation allows execution of arbitrary code on a user's system via a malicious kommander file.

The vulnerability affects Quanta 3.1.x and KDE versions 3.2 through 3.4.0.

Solution:
Apply patches.

Patch for KDE 3.4.0:
ftp://ftp.kde.org/pub/kde/securi...t-3.4.0-kdewebdev-kommander.diff
c388b21d91c8326fc9757cd8786713db

Patch for KDE 3.3.2:
ftp://ftp.kde.org/pub/kde/securi...t-3.3.2-kdewebdev-kommander.diff
d210c07121c1ba3a97660a6e166738e6

Original Advisory:
KDE:
http://www.kde.org/info/security/advisory-20050420-1.txt

Source & live links.