--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated kdelibs packages fix security issues Advisory ID: FLSA:178606 Issue date: 2006-03-16 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CVE-2005-0237 CVE-2005-0396 CVE-2005-1046 CVE-2005-1920 CVE-2006-0019 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated kdelibs packages that fix several security issues are now available. The kdelibs package provides libraries for the K Desktop Environment. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 Fedora Core 3 - i386, x86_64 3. Problem description: The International Domain Name (IDN) support in the Konqueror browser allowed remote attackers to spoof domain names using punycode encoded domain names. Such domain names are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0237 to this issue. Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0396 to this issue. A buffer overflow was found in the kimgio library for KDE 3.4.0. An attacker could create a carefully crafted PCX image in such a way that it would cause kimgio to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1046 to this issue. A flaw was discovered affecting Kate, the KDE advanced text editor, and Kwrite. Depending on system settings, it may be possible for a local user to read the backup files created by Kate or Kwrite. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1920 to this issue. A heap overflow flaw was discovered affecting kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. An attacker could create a malicious web site containing carefully crafted JavaScript code that would trigger this flaw and possibly lead to arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0019 to this issue. Users of KDE should upgrade to these erratum packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178606 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-3.1-17.1.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/kdelibs-3.2.2-14.FC2.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm Fedora Core 3: SRPM: http://download.fedoralegacy.org/fedora/3/updates/SRPMS/kdelibs-3.4.2-1.fc3.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/3/updates/i386/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/i386/kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm x86_64: http://download.fedoralegacy.org/fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm http://download.fedoralegacy.org/fedora/3/updates/x86_64/kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 2f2d25474d7f6c68b77e376684f3835cd61123e4 redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm c153c581d132fc5ae882167d3319f103652043dd redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm 7ad24efea3cd775ad8bc649128d64875eec1554e redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm f527dda13ccda9cd86542014e749587548b82a32 redhat/9/updates/i386/kdelibs-3.1-17.1.legacy.i386.rpm 6e22f76a8310051d285d60817066659f4429b633 redhat/9/updates/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm 7d8b9b30352004864252d7f2a72a877f062adf0f redhat/9/updates/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm 3de25dd41842099dca0cf142adef2c4fe35bcfce fedora/1/updates/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm 5d48525f08c39c3f73ca1d547be6aa0335c02a02 fedora/1/updates/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm 14c5cab3afedd32f05324ced28cd9abda3349ff1 fedora/1/updates/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm 944bbc21e569bc63544f540783eedf4ecf430d2f fedora/2/updates/i386/kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm 6d15fbaa66fbadf6fa19ce3feb04e4c71ef18dfe fedora/2/updates/i386/kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm 1b2a47dcae3e180dc2b0ccecdff5dca12b914393 fedora/2/updates/SRPMS/kdelibs-3.2.2-14.FC2.2.legacy.src.rpm 4d217b3e16c4624ff14b9615ab7720efbaaff7e8 fedora/3/updates/i386/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm c861158a8f3734f0ae633fc46cd8705c6d5fc0ad fedora/3/updates/i386/kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm 4d217b3e16c4624ff14b9615ab7720efbaaff7e8 fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm 8d37c651ebe27beb56c34383972128a18e8e3c4d fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm 10cabc626d4c0570999ccd70aa8e248f31b49f8f fedora/3/updates/x86_64/kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm bb0dc7875106e2b71d30a5a8f2df6737aee4a80a fedora/3/updates/SRPMS/kdelibs-3.4.2-1.fc3.1.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0396 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1046 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1920 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019 9. Contact: The Fedora Legacy security contact is . More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------