KDirStat: Arbitrary command execution — GLSA 201406-15

A vulnerability in KDirStat could allow local attackers to execute arbitrary shell commands.

Affected packages

kde-misc/kdirstat on all architectures
Affected versions < 2.7.5
Unaffected versions >= 2.7.5

Background

KDirStat is a graphical disk usage utility for KDE.

Description

Missing escape of executable shell command in KDirStat can be used to insert malicious shell commands.

Impact

A local attacker could possibly execute arbitrary shell command with the privileges of the process.

Workaround

There is no known workaround at this time.

Resolution

All KDirStat users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=kde-misc/kdirstat-2.7.5"
 

References

Release date
June 15, 2014

Latest revision
June 15, 2014: 1

Severity
normal

Exploitable
local

Bugzilla entries