Date: 23 January 2006
References: ESB-2006.0065
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0069 -- [Debian]
New kdelibs packages fix buffer overflow
23 January 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kdelibs
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2006-0019
Ref: ESB-2006.0065
Original Bulletin: http://www.debian.org/security/2006/dsa-948
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 948-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
January 20th, 2005 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : kdelibs
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2006-0019
Maksim Orlovich discovered that the kjs Javascript interpreter, used
in the Konqueror web browser and in other parts of KDE, performs
insufficient bounds checking when parsing UTF-8 encoded Uniform Resource
Identifiers, which may lead to a heap based buffer overflow and the
execution of arbitrary code.
The old stable distribution (woody) is not affected by this problem.
For the stable distribution (sarge) this problem has been fixed in
version 3.3.2-6.4
For the unstable distribution (sid) this problem will be fixed soon.
We recommend that you upgrade your kdelibs package.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.3.2-6.4.dsc
Size/MD5 checksum: 1255 3476894f94312ebd9c2c8a09fa226b87
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.3.2-6.4.diff.gz
Size/MD5 checksum: 404799 fcd85446682b6dc93ff4f286eeaa9a66
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.3.2.orig.tar.gz
Size/MD5 checksum: 18250342 04f10ddfa8bf9e359f391012806edc04
Architecture independent components:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-data_3.3.2-6.4_all.deb
Size/MD5 checksum: 7094358 0ef3c6eab6e97a739396eb2fc3d6d64e
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-doc_3.3.2-6.4_all.deb
Size/MD5 checksum: 11532706 aa95fe32a20da29f86f7e2aa266beb45
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.3.2-6.4_all.deb
Size/MD5 checksum: 27936 b36ba70cd31eed4b283612df82d06ac5
Alpha architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_alpha.deb
Size/MD5 checksum: 995496 4bfb3202b2c09187a3db6353651616e7
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_alpha.deb
Size/MD5 checksum: 9283450 89c2d4bf7eaafffbdcbe2f5cde9989d6
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_alpha.deb
Size/MD5 checksum: 1245938 359d7c089f1fc049e48e6b51b16788af
AMD64 architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_amd64.deb
Size/MD5 checksum: 923642 18c3ce5715619fa03aad58f705d9d2fa
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_amd64.deb
Size/MD5 checksum: 8514354 3e36f3fa8e412aa65b02257e57c1f5d4
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_amd64.deb
Size/MD5 checksum: 1241634 22b57b5cf22a17b96aa9f5e5ab6428a4
ARM architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_arm.deb
Size/MD5 checksum: 810878 5386387b194090aeb29f4c4b06af9024
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_arm.deb
Size/MD5 checksum: 7595288 4bce1f87ecc765cbf899707c0ecac72c
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_arm.deb
Size/MD5 checksum: 1239290 a8ace690bf0f720d2b6d32b001d380f3
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_i386.deb
Size/MD5 checksum: 864336 95856f030d0317644a8dac9664166149
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_i386.deb
Size/MD5 checksum: 8203306 35ae7ad514fbf1ddd5dc3f5c0ffdfb62
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_i386.deb
Size/MD5 checksum: 1240288 34248445bfa13b95d53f64819d6cda06
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_ia64.deb
Size/MD5 checksum: 1148478 e1f8faca8072df9854593b7f67c2b611
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_ia64.deb
Size/MD5 checksum: 10773556 a7dd56a0a94c28eeeab4a7951f479ad9
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_ia64.deb
Size/MD5 checksum: 1253454 d9c800a9873f5316b57d13b48225d34f
HP Precision architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_hppa.deb
Size/MD5 checksum: 945076 1f5f53b8d1817f13f2221f777afff224
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_hppa.deb
Size/MD5 checksum: 9306172 2a2adf406cb31274a17a6bead03e2f7c
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_hppa.deb
Size/MD5 checksum: 1243582 404a5c61b81426c89c652b9cb51eff18
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_m68k.deb
Size/MD5 checksum: 837914 d2b462486dc13e4022dbeb1f561f3ea3
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_m68k.deb
Size/MD5 checksum: 7917378 c1104ff4459b4db71c0312b97d5fb459
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_m68k.deb
Size/MD5 checksum: 1237728 e4eca74d73b772424d47ca51fbc88c22
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_mips.deb
Size/MD5 checksum: 876708 012788ab2c0bd7690e0c7494de089b73
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_mips.deb
Size/MD5 checksum: 7427034 cbe98f1799cc84cb8522efa99e0f56eb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_mips.deb
Size/MD5 checksum: 1238294 1d261691486374ff3df5b553d4e228b0
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_mipsel.deb
Size/MD5 checksum: 872932 2c5db668a9f0a7c02cf42388a565492c
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_mipsel.deb
Size/MD5 checksum: 7298648 3d938b37843f5f116b3f532bc5e1f794
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_mipsel.deb
Size/MD5 checksum: 1238174 def3ec949a9b0a228288d99d37526158
PowerPC architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_powerpc.deb
Size/MD5 checksum: 903514 d907e35f87bbbaedf63c281f7ef94329
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_powerpc.deb
Size/MD5 checksum: 7923290 817aa4e67c2197debb26f59e16b0127d
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_powerpc.deb
Size/MD5 checksum: 1242328 431fe37180daffc6700a58588be37d50
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_s390.deb
Size/MD5 checksum: 892238 85c3de8934b28a8108b1a976cfe4487c
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_s390.deb
Size/MD5 checksum: 8637560 0289a19093fa788cb7d0872e417b1172
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_s390.deb
Size/MD5 checksum: 1239678 7b791ffbd6f8abe426025d9bca6de14b
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-bin_3.3.2-6.4_sparc.deb
Size/MD5 checksum: 825084 603b60797e651ebdc570758193f16900
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4_3.3.2-6.4_sparc.deb
Size/MD5 checksum: 7747066 3d934ccbb9aa437e03bde173960bee60
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.3.2-6.4_sparc.deb
Size/MD5 checksum: 1238936 832a05b1e9c356f2f3ad3350a3edc204
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQCVAwUBQ9D0YQ0hVr09l8FJAQI7WQP+JKDEATEVa/pdUJsyFspVzQ5umI0jtQsF
5dzOzn2lazqpgkbkTFOB0KAN7RwwvbWj9405mrY7kKveM311m8AH0O4gXgUCnNRR
A38l/N/VBu3w0T1Wue76KGvtkPpf0QpdAfWetvlomJFxdK292K8iymUZ9xXB7dh4
MmOw7vFXSXI=
=KG+W
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ9QmpCh9+71yA2DNAQLlqAP+P9pONQpVGVMmp4bx8lxucH6OlZDSmMX9
T65fHx6zDYzUMRax2sC0cyhFouq+8TRuSUlYBa1POAesgsKWQdlMIsFzAO/7xeLB
ikiHcxhka+US4Fh5fv8RbGzbtYtgHDu0lL2mAKhShqmGnlbgSNm8aNluOoXphJUD
TSydwFYXf8I=
=676Y
-----END PGP SIGNATURE-----
|