Overview
KApplication-class, a class used to create KDE applications, creates configuration files without checking for proper ownership or prior existence.
Description
KApplication-class, a class used to create KDE applications, creates configuration files. These files are created in a local directory and named predictably based on the KDE application name. The CREAT call does not check for prior existence or proper ownership. |
Impact
Using a symlink attack, an attacker my cause corruption of any file writable by the user of the application. If the application is setuid root, an attacker may cause corruption of any file in the system. |
Solution
Contact vendor for patches. |
The system administrator could create configuration files for common applications, appropriately named and protected, to forestall the symlink attack, but this would not be a robust fix and may need to be reapplied frequently. |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
Acknowledgements
The initial report of this vulnerability was made by Sebastian Krahmer.
This document was last modified by Tim Shimeall.
Other Information
CVE IDs: | CVE-2000-0530 |
Severity Metric: | 3.79 |
Date Public: | 2000-05-29 |
Date First Published: | 2001-05-30 |
Date Last Updated: | 2001-05-30 14:40 UTC |
Document Revision: | 9 |