A possible local root exploit affecting all versions of
(introduced in KDE 2 pre-releases) was posted late Sunday to some of the well-known
security websites. The exploit only affects installations which
artswrapper setuid "root".
signature) against KDE 3.0.2 was released almost immediately (thanks
to George Staikos and Dirk Mueller), and new packages
are being built.
In the meantime, it is strongly recommended that system administrators
unset the setuid bit on
chmod ug-s), particularly on multi-user machines.
More details, as they arise, will be posted to the
KDE 3.0.2 Info Page.
Update: 07/08 19:25:49 by N: There appears to be some confusion as to whether this is a real exploit or not. The patch has currently been retracted, so stay tuned for updates. As usual, those of you who wish to err on the side of caution simply have to remove the setuid bit on artswrapper.