ksirc Denial of Service vulnerability
Posted on: 01/10/2007 12:58 PM
KDE Security Advisory: ksirc denial of service vulnerability
Original Release Date: 2007-01-09
1. Systems affected:
ksirc as shipped with KDE 3.5.5 or older. KDE 3.5.6 and newer is not affected.
On 2006-12-27, a proof of concept for arbitrary code execution in ksirc was published by Federico L. Bossi Bonin. The published exploit triggers an assertion in ksirc and results in a NULL pointer dereference (crash) for non-debug builds.
A malicious IRC server can crash the ksirc client. No arbitrary code execution is possible by this vulnerability.
Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages.
A patch for KDE 3.5.5 is available from ftp://ftp.kde.org/pub/kde/security_patches