COMMAND

    kdelibs

SYSTEMS AFFECTED

    KDE (OpenLinux eDesktop 2.4)

PROBLEM

    Following is based  on Caldera Systems  Security Advisory.   There
    is a very serious vulnerability in the way KDE starts applications
    that allows local  users to take  over any file  in the system  by
    exploiting setuid root KDE application.

    The only vulnerable application  shipped with OpenLinux is  kISDN,
    but third party software might be vulnerable too.

    Vulnerable versions:

        System                       Package
        -----------------------------------------------------------
        OpenLinux Desktop 2.3        no vulnerable packages included
        OpenLinux eServer 2.3        no vulnerable packages included
        and OpenLinux eBuilder
        OpenLinux eDesktop 2.4       kISDN


   Caldera Systems wishes to thank Sebastian "Stealth" Krahmer for
   discovering and reporting the bug.

SOLUTION

    There is currently no  fix available.  If  you do not need  kISDN,
    deinstall it by issuing as root:

        rpm -e kisdn

    If  you  need  kISDN  on  a  multiuser  workstation,  disable  the
    suid-root sbit by doing as root:

        chmod u-s /opt/kde/bin/kisdn

    You can still use kisdn by issuing in a terminal window:

        $ su -p
        Password: <your root password>
        # kisdn &