Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file.

A buffer overflow is present in some versions of the KDE personal information manager (kdepim) which may be triggered when processing a specially crafted VCF file.

The remote host is affected by the vulnerability described in GLSA-200404-02 (KDE Personal Information Management Suite Remote Buffer Overflow Vulnerability)

    A buffer overflow may occur in KDE-PIM's VCF file reader when a maliciously     crafted VCF file is opened by a user on a vulnerable system.
  Impact :

    A remote attacker may unauthorized access to a user's personal data or     execute commands with the user's privileges.
  Workaround :

    A workaround is not currently known for this issue. All users are advised     to upgrade to the latest version of the affected package.

A vulnerability was discovered in all versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4. This vulnerability allows for a carefully crafted .VCF file to potentially enable a local attacker to compromise the privacy of a victim's data or execute arbitrary commands with the victim's privileges. This can also be used by remote attackers if the victim enables previews for remote files;
however this is disabled by default.

The provided packages contain a patch from the KDE team to correct this problem.

The KDE team found a buffer overflow in the file information reader of VCF files. An attacker could construct a VCF file so that when it was opened by a victim it would execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0988 to this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kdepim packages are now available that fix a local buffer overflow vulnerability.

The K Desktop Environment (KDE) is a graphical desktop for the X Window System. The KDE Personal Information Management (kdepim) suite helps you to organize your mail, tasks, appointments, and contacts.

The KDE team found a buffer overflow in the file information reader of VCF files. An attacker could construct a VCF file so that when it was opened by a victim it would execute arbitrary commands. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0988 to this issue.

Users of kdepim are advised to upgrade to these erratum packages which contain a backported security patch that corrects this issue.

ID	Name	Product	Family	Severity
36298	FreeBSD : kdepim exploitable buffer overflow in VCF reader (da6f265b-8f3d-11d8-8b29-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	high
14467	GLSA-200404-02 : KDE Personal Information Management Suite Remote Buffer Overflow Vulnerability	Nessus	Gentoo Local Security Checks	high
14103	Mandrake Linux Security Advisory : kdepim (MDKSA-2004:003)	Nessus	Mandriva Local Security Checks	high
13708	Fedora Core 1 : kdepim-3.1.4-2 (2004-133)	Nessus	Fedora Local Security Checks	high
12447	RHEL 3 : kdepim (RHSA-2004:005)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2003-0988

critical

Tenable Plugins

high

high

high

high

high