KDE security advisories have been released today that address minor problems that were brought to the attention of the KDE security team over the last few months. All these issues have been fixed in KDE 3.4, for older KDE versions patches are available.
- The SUSE security team alerted us that a malicious local user can
lock up the dcopserver of arbitrary other users on the same machine
by stalling the DCOP authentication process.
- A problem that affected all browsers that support International Domain Names (IDN) and that has been widely publicized already is that the IDN support makes
vulnerable to a phishing technique known as a Homograph attack. This problem has been solved by only supporting IDN in those domains for which the domain registrar
enforces a homographic character policy.
The dcopidlng script is vulnerable to symlink attacks, potentially
allowing a malicious local user to overwrite arbitrary files of a user when
the script is run on behalf of that user. This only affects users
who compile KDE or KDE applications themselves.