Date: 11 February 2005
References: AL-2004.041 ESB-2005.0019 ESB-2005.0090
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2005.0134 -- RHSA-2005:009-01
Updated kdelibs and kdebase packages correct security issues
11 February 2005
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kdelibs and kdebase
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux AS/ES/WS 3
Red Hat Desktop version 3
Red Hat Enterprise Linux AS/ES/WS 2.1
Red Hat Linux Advanced Workstation 2.1
Impact: Execute Arbitrary Code/Commands
Inappropriate Access
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CAN-2005-0078 CAN-2004-1165 CAN-2004-1158
Ref: ESB-2005.0090
ESB-2005.0019
AL-2004.041
Original Bulletin: https://rhn.redhat.com/errata/RHSA-2005-009.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Updated kdelibs and kdebase packages correct security issues
Advisory ID: RHSA-2005:009-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-009.html
Issue date: 2005-02-10
Updated on: 2005-02-10
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-1158 CAN-2004-1165 CAN-2005-0078
- - ---------------------------------------------------------------------
1. Summary:
Updated kdelib and kdebase packages that resolve several security issues
are now available.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
3. Problem description:
The kdelibs packages include libraries for the K Desktop Environment. The
kdebase packages include core applications for the K Desktop Environment.
Secunia Research discovered a window injection spoofing vulnerability
affecting the Konqueror web browser. This issue could allow a malicious
website to show arbitrary content in a different browser window. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2004-1158
to this issue.
A bug was discovered in the way kioslave handles URL-encoded newline (%0a)
characters before the FTP command. It is possible that a specially crafted
URL could be used to execute any ftp command on a remote server, or
potentially send unsolicited email. The Common Vulnerabilities and
Exposures project has assigned the name CAN-2004-1165 to this issue.
A bug was discovered that can crash KDE screensaver under certain local
circumstances. This could allow an attacker with physical access to the
workstation to take over a locked desktop session. Please note that this
issue only affects Red Hat Enterprise Linux 2.1. The Common Vulnerabilities
and Exposures project has assigned the name CAN-2005-0078 to this issue.
All users of KDE are advised to upgrade to this updated packages, which
contain backported patches to correct these issues.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
5. Bug IDs fixed (http://bugzilla.redhat.com/):
142393 - CAN-2004-1158 Frame injection vulnerability.
139265 - KDE+Cadence bug
146760 - CAN-2004-1165 kioslave command injection
145381 - CAN-2005-0078 password bypass in kde screensaver
6. RPMs required:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kdebase-2.2.2-15.src.rpm
42ea76d700ba15316ed91ce65cf771f9 kdebase-2.2.2-15.src.rpm
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kdelibs-2.2.2-15.src.rpm
2effc951a3ee4ae25512280243542b5c kdelibs-2.2.2-15.src.rpm
i386:
4d38bae519a161f1452bb554fb04ba81 arts-2.2.2-15.i386.rpm
030a200855eb2be8bdc42800eeb06cef kdebase-2.2.2-15.i386.rpm
774d4f3c8b056b807279149410432482 kdebase-devel-2.2.2-15.i386.rpm
bb8d504cb0c377299863c4b5a49fdeab kdelibs-2.2.2-15.i386.rpm
5cdcc1ff323a76d713de8b602a8681e5 kdelibs-devel-2.2.2-15.i386.rpm
134afda3f20237a143a48b05efa19ce3 kdelibs-sound-2.2.2-15.i386.rpm
f4be4258a190a5dcf32c4c9cd338d9f9 kdelibs-sound-devel-2.2.2-15.i386.rpm
ia64:
29b839c2620301ae2abfc6f26511e64e arts-2.2.2-15.ia64.rpm
aceb3a74103fd439be563eb1c5346890 kdebase-2.2.2-15.ia64.rpm
8b5de25703a71498f6ce9c316a7be391 kdebase-devel-2.2.2-15.ia64.rpm
ebd5bc9dd5419cf9dc00e8c663e0b722 kdelibs-2.2.2-15.ia64.rpm
6788128e0c457af8c7531f4ad4cf0620 kdelibs-devel-2.2.2-15.ia64.rpm
0eced9a280854ff5a56cf9248778aa91 kdelibs-sound-2.2.2-15.ia64.rpm
c30d0494f359483f5ea45c216a75fb83 kdelibs-sound-devel-2.2.2-15.ia64.rpm
Red Hat Linux Advanced Workstation 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/kdebase-2.2.2-15.src.rpm
42ea76d700ba15316ed91ce65cf771f9 kdebase-2.2.2-15.src.rpm
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/kdelibs-2.2.2-15.src.rpm
2effc951a3ee4ae25512280243542b5c kdelibs-2.2.2-15.src.rpm
ia64:
29b839c2620301ae2abfc6f26511e64e arts-2.2.2-15.ia64.rpm
aceb3a74103fd439be563eb1c5346890 kdebase-2.2.2-15.ia64.rpm
8b5de25703a71498f6ce9c316a7be391 kdebase-devel-2.2.2-15.ia64.rpm
ebd5bc9dd5419cf9dc00e8c663e0b722 kdelibs-2.2.2-15.ia64.rpm
6788128e0c457af8c7531f4ad4cf0620 kdelibs-devel-2.2.2-15.ia64.rpm
0eced9a280854ff5a56cf9248778aa91 kdelibs-sound-2.2.2-15.ia64.rpm
c30d0494f359483f5ea45c216a75fb83 kdelibs-sound-devel-2.2.2-15.ia64.rpm
Red Hat Enterprise Linux ES version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kdebase-2.2.2-15.src.rpm
42ea76d700ba15316ed91ce65cf771f9 kdebase-2.2.2-15.src.rpm
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kdelibs-2.2.2-15.src.rpm
2effc951a3ee4ae25512280243542b5c kdelibs-2.2.2-15.src.rpm
i386:
4d38bae519a161f1452bb554fb04ba81 arts-2.2.2-15.i386.rpm
030a200855eb2be8bdc42800eeb06cef kdebase-2.2.2-15.i386.rpm
774d4f3c8b056b807279149410432482 kdebase-devel-2.2.2-15.i386.rpm
bb8d504cb0c377299863c4b5a49fdeab kdelibs-2.2.2-15.i386.rpm
5cdcc1ff323a76d713de8b602a8681e5 kdelibs-devel-2.2.2-15.i386.rpm
134afda3f20237a143a48b05efa19ce3 kdelibs-sound-2.2.2-15.i386.rpm
f4be4258a190a5dcf32c4c9cd338d9f9 kdelibs-sound-devel-2.2.2-15.i386.rpm
Red Hat Enterprise Linux WS version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kdebase-2.2.2-15.src.rpm
42ea76d700ba15316ed91ce65cf771f9 kdebase-2.2.2-15.src.rpm
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kdelibs-2.2.2-15.src.rpm
2effc951a3ee4ae25512280243542b5c kdelibs-2.2.2-15.src.rpm
i386:
4d38bae519a161f1452bb554fb04ba81 arts-2.2.2-15.i386.rpm
030a200855eb2be8bdc42800eeb06cef kdebase-2.2.2-15.i386.rpm
774d4f3c8b056b807279149410432482 kdebase-devel-2.2.2-15.i386.rpm
bb8d504cb0c377299863c4b5a49fdeab kdelibs-2.2.2-15.i386.rpm
5cdcc1ff323a76d713de8b602a8681e5 kdelibs-devel-2.2.2-15.i386.rpm
134afda3f20237a143a48b05efa19ce3 kdelibs-sound-2.2.2-15.i386.rpm
f4be4258a190a5dcf32c4c9cd338d9f9 kdelibs-sound-devel-2.2.2-15.i386.rpm
Red Hat Enterprise Linux AS version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kdebase-3.1.3-5.8.src.rpm
82bd5517a6dc195ca5c7a4fcf4cc3fcf kdebase-3.1.3-5.8.src.rpm
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kdelibs-3.1.3-6.9.src.rpm
6b5b2aba61ac2ced6df5689de2721a71 kdelibs-3.1.3-6.9.src.rpm
i386:
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
a66570d58774ae59253985e9089f7074 kdebase-devel-3.1.3-5.8.i386.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
65ff2276ebd06a84363734aac1e819c2 kdelibs-devel-3.1.3-6.9.i386.rpm
ia64:
3fff6529152bac165097691689afd5ae kdebase-3.1.3-5.8.ia64.rpm
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
9e9245aceb7cb8d4422f91798ee47fcf kdebase-devel-3.1.3-5.8.ia64.rpm
3ff097e232c2c1ecd0a8684c8b526581 kdelibs-3.1.3-6.9.ia64.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
155776d1b23d3c1c881f805416ecc9fa kdelibs-devel-3.1.3-6.9.ia64.rpm
ppc:
0fc9e4a1708c61b2206768e1394ecebd kdebase-3.1.3-5.8.ppc.rpm
2dd6ee38cd14fa2fe23738288ccbedba kdebase-devel-3.1.3-5.8.ppc.rpm
4a16bc2c6e43daab1e89c2325524b05a kdelibs-3.1.3-6.9.ppc.rpm
e502d549dfd189d1adc737ec8465b891 kdelibs-devel-3.1.3-6.9.ppc.rpm
ppc64:
72499cac48e0a01419aab74f7ede3aac kdebase-3.1.3-5.8.ppc64.rpm
e90b5b1341b2b3b377ffd29ae77f851a kdelibs-3.1.3-6.9.ppc64.rpm
s390:
f0a4e0e6fdf9eee9f2825da3736a7885 kdebase-3.1.3-5.8.s390.rpm
2147f372980f4df3d112545c3de5c0a8 kdebase-devel-3.1.3-5.8.s390.rpm
3a4b1bc5571900b494af7082ab7a1a13 kdelibs-3.1.3-6.9.s390.rpm
bf90245b516428c7d9ef4cf0cef37342 kdelibs-devel-3.1.3-6.9.s390.rpm
s390x:
755768f2b7ad338f8d66aaa05d66cec7 kdebase-3.1.3-5.8.s390x.rpm
f0a4e0e6fdf9eee9f2825da3736a7885 kdebase-3.1.3-5.8.s390.rpm
cfd77c86b6f3a565c5799b057fbb5798 kdebase-devel-3.1.3-5.8.s390x.rpm
4273cbc141a3c025b40a121a320f569e kdelibs-3.1.3-6.9.s390x.rpm
3a4b1bc5571900b494af7082ab7a1a13 kdelibs-3.1.3-6.9.s390.rpm
050516f5c80f0cc06466d8698bef3833 kdelibs-devel-3.1.3-6.9.s390x.rpm
x86_64:
85c1ebcce8e37502e4c57ac5666bd5b6 kdebase-3.1.3-5.8.x86_64.rpm
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
cc159d0af68f93775029e72c98fa67cd kdebase-devel-3.1.3-5.8.x86_64.rpm
ea4f3a20b3b90e64c065dd1a43047f01 kdelibs-3.1.3-6.9.x86_64.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
8c99f2100c9f3e5b03efff7165eff15c kdelibs-devel-3.1.3-6.9.x86_64.rpm
Red Hat Desktop version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kdebase-3.1.3-5.8.src.rpm
82bd5517a6dc195ca5c7a4fcf4cc3fcf kdebase-3.1.3-5.8.src.rpm
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kdelibs-3.1.3-6.9.src.rpm
6b5b2aba61ac2ced6df5689de2721a71 kdelibs-3.1.3-6.9.src.rpm
i386:
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
a66570d58774ae59253985e9089f7074 kdebase-devel-3.1.3-5.8.i386.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
65ff2276ebd06a84363734aac1e819c2 kdelibs-devel-3.1.3-6.9.i386.rpm
x86_64:
85c1ebcce8e37502e4c57ac5666bd5b6 kdebase-3.1.3-5.8.x86_64.rpm
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
cc159d0af68f93775029e72c98fa67cd kdebase-devel-3.1.3-5.8.x86_64.rpm
ea4f3a20b3b90e64c065dd1a43047f01 kdelibs-3.1.3-6.9.x86_64.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
8c99f2100c9f3e5b03efff7165eff15c kdelibs-devel-3.1.3-6.9.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kdebase-3.1.3-5.8.src.rpm
82bd5517a6dc195ca5c7a4fcf4cc3fcf kdebase-3.1.3-5.8.src.rpm
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kdelibs-3.1.3-6.9.src.rpm
6b5b2aba61ac2ced6df5689de2721a71 kdelibs-3.1.3-6.9.src.rpm
i386:
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
a66570d58774ae59253985e9089f7074 kdebase-devel-3.1.3-5.8.i386.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
65ff2276ebd06a84363734aac1e819c2 kdelibs-devel-3.1.3-6.9.i386.rpm
ia64:
3fff6529152bac165097691689afd5ae kdebase-3.1.3-5.8.ia64.rpm
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
9e9245aceb7cb8d4422f91798ee47fcf kdebase-devel-3.1.3-5.8.ia64.rpm
3ff097e232c2c1ecd0a8684c8b526581 kdelibs-3.1.3-6.9.ia64.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
155776d1b23d3c1c881f805416ecc9fa kdelibs-devel-3.1.3-6.9.ia64.rpm
x86_64:
85c1ebcce8e37502e4c57ac5666bd5b6 kdebase-3.1.3-5.8.x86_64.rpm
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
cc159d0af68f93775029e72c98fa67cd kdebase-devel-3.1.3-5.8.x86_64.rpm
ea4f3a20b3b90e64c065dd1a43047f01 kdelibs-3.1.3-6.9.x86_64.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
8c99f2100c9f3e5b03efff7165eff15c kdelibs-devel-3.1.3-6.9.x86_64.rpm
Red Hat Enterprise Linux WS version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kdebase-3.1.3-5.8.src.rpm
82bd5517a6dc195ca5c7a4fcf4cc3fcf kdebase-3.1.3-5.8.src.rpm
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kdelibs-3.1.3-6.9.src.rpm
6b5b2aba61ac2ced6df5689de2721a71 kdelibs-3.1.3-6.9.src.rpm
i386:
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
a66570d58774ae59253985e9089f7074 kdebase-devel-3.1.3-5.8.i386.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
65ff2276ebd06a84363734aac1e819c2 kdelibs-devel-3.1.3-6.9.i386.rpm
ia64:
3fff6529152bac165097691689afd5ae kdebase-3.1.3-5.8.ia64.rpm
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
9e9245aceb7cb8d4422f91798ee47fcf kdebase-devel-3.1.3-5.8.ia64.rpm
3ff097e232c2c1ecd0a8684c8b526581 kdelibs-3.1.3-6.9.ia64.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
155776d1b23d3c1c881f805416ecc9fa kdelibs-devel-3.1.3-6.9.ia64.rpm
x86_64:
85c1ebcce8e37502e4c57ac5666bd5b6 kdebase-3.1.3-5.8.x86_64.rpm
559c33d7383e7c81f2642f02c5aed26a kdebase-3.1.3-5.8.i386.rpm
cc159d0af68f93775029e72c98fa67cd kdebase-devel-3.1.3-5.8.x86_64.rpm
ea4f3a20b3b90e64c065dd1a43047f01 kdelibs-3.1.3-6.9.x86_64.rpm
1b9bf6cfbedde310068e7b47ec43dab0 kdelibs-3.1.3-6.9.i386.rpm
8c99f2100c9f3e5b03efff7165eff15c kdelibs-devel-3.1.3-6.9.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://www.kde.org/info/security/advisory-20041213-1.txt
http://www.kde.org/info/security/advisory-20050101-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1165
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0078
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2005 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFCC5W2XlSAg2UNWIIRAkmlAKCE6816oEZPlLm3ukFVSyso2/wRwwCfXKM8
Wkp2VQj+bsIQD1eTcQDjZJY=
=TPjS
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQgwKESh9+71yA2DNAQIF8AQAhr8IXjSfFQuHsAy/C2nYEShBqiL3xkEO
CfWMPrLHtVtpqn3oG/1GJZXPFSs4PcuXXw27fBfwJkXA71jujjdNB/pVFQhUO/N+
DbLkrxn3L50dDMZ9ZWMVRd5+KxGZdWKFaRiF1KFMUGW+E0oPy0EEl/t38BCj05Es
7lBRut2yDRw=
=ta2P
-----END PGP SIGNATURE-----
|