KDocker contains a flaw related to the execution of files that may allow an attacker, authenticated to the X session, to send X client messages and have KDocker execute programs not owned by the owner of the KDocker process. No further details have been provided.
Classification
Location:
Local Access Required
Attack Type:
Authentication Management
Impact:
Loss of Confidentiality
Exploit:
Exploit Public
Disclosure:
OSVDB Verified
Technical
The below code was added to kdocker.cpp from line 416:
if (stat(tmp, &buf) || (getuid()!=buf.st_uid)) { unlink(tmp); return TRUE; } if (getuid() != buf.st_uid) return TRUE;
With the comment:
"We make sure that the owner of this process and the owner of the file are the same. This will prevent someone from executing arbitrary programs by sending client message. Of course, you can send a message only if you are authenticated to the X session. So this code is there just for the heck of it."
Solution
Upgrade to version 0.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
This product uses the Daylife API but is not endorsed or certified by Daylife.
This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.
users.sourceforge.net -
