Gentoo Logo

KDE URI Handler Vulnerabilities


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200405-11 / kdelibs
Release Date May 19, 2004
Latest Revision May 19, 2004: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
kde-base/kdelibs <= 3.2.2 >= 3.2.2-r1, = 3.1.5-r1 All supported architectures

Related bugreports: #51276


Vulnerabilities in KDE URI handlers makes your system vulnerable to various attacks.

2.  Impact Information


The K Desktop Environment (KDE) is a powerful Free Software graphical desktop environment. KDE makes use of URI handlers to trigger various programs when specific URLs are received.


The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-' at the beginning of the hostname passed. By crafting a malicious URI and entice an user to click on it, it is possible to pass an option to the programs started by the handlers (typically telnet, kmail...).


If the attacker controls the options passed to the URI handling programs, it becomes possible for example to overwrite arbitrary files (possibly leading to denial of service), to open kmail on an attacker-controlled remote display or with an alternate configuration file (possibly leading to control of the user account).

3.  Resolution Information


There is no known workaround at this time. All users are advised to upgrade to a corrected version of kdelibs.


Users of KDE 3.1 should upgrade to the corrected version of kdelibs:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv "=kde-base/kdelibs-3.1.5-r1"
# emerge "=kde-base/kdelibs-3.1.5-r1"

Users of KDE 3.2 should upgrade to the latest available version of kdelibs:

Code Listing 3.2: Resolution

# emerge sync
# emerge -pv ">=kde-base/kdelibs-3.2.2-r1"
# emerge ">=kde-base/kdelibs-3.2.2-r1"

4.  References


Page updated May 19, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.