Red Hat 9038 Published by

Updated kdelibs and kdebase packages are available for Red Hat Enterprise Linux 2.1 and 3

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Updated kdelibs and kdebase packages correct security issues
Advisory ID: RHSA-2004:412-01
Issue date: 2004-10-04
Updated on: 2004-10-04
Product: Red Hat Enterprise Linux
CVE Names: CAN-2004-0689 CAN-2004-0746 CAN-2004-0721
----------------------------------------------------------------------

1. Summary:

Updated kdelib and kdebase packages that resolve multiple security issues are now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64



3. Problem description:

The kdelibs packages include libraries for the K Desktop Environment. The kdebase packages include core applications for the K Desktop Environment.

Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0689 to this issue.

WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0721 to this issue.

A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0746 to this issue.

All users of KDE are advised to upgrade to these erratum packages, which contain backported patches from the KDE team for these issues.

4. Solution:

Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

128693 - CAN-2004-0689 Predictable temporary filenames
128462 - CAN-2004-0721 Konqueror frame injection spoofing

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kdelibs-2.2.2-13.src.rpm
34cd7c8777facff45a8e5eeed312b3b4 kdelibs-2.2.2-13.src.rpm

i386:
2b9a999a24dd42549fac4e39790b8c17 arts-2.2.2-13.i386.rpm
d6aebf57668023cb684b81236c32ce71 kdelibs-2.2.2-13.i386.rpm
20114a97ed08c90c3ecd41d1b462b6bf kdelibs-devel-2.2.2-13.i386.rpm
5ca2b715621e0cdec5e3cfc647739d3f kdelibs-sound-2.2.2-13.i386.rpm
65522ae63db9a60ec3b021099fa267ed kdelibs-sound-devel-2.2.2-13.i386.rpm

ia64:
198791b6c87c082383e8824f744a8c41 arts-2.2.2-13.ia64.rpm
f0c10dff06590e9b3d4470a4f8b1f624 kdelibs-2.2.2-13.ia64.rpm
f8c9cebea143dcf5450cd8ca0105d724 kdelibs-devel-2.2.2-13.ia64.rpm
e2218bf3c2da78612dcaf84775f2b940 kdelibs-sound-2.2.2-13.ia64.rpm
2172bffd9baeb6ba3919c9510a8f8c61 kdelibs-sound-devel-2.2.2-13.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/kdebase-2.2.2-12.src.rpm
1b2d27e8c9b4fbcc6f14b8b5d8f211de kdebase-2.2.2-12.src.rpm
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/kdelibs-2.2.2-13.src.rpm
34cd7c8777facff45a8e5eeed312b3b4 kdelibs-2.2.2-13.src.rpm

ia64:
198791b6c87c082383e8824f744a8c41 arts-2.2.2-13.ia64.rpm
95e7fac336a7858e13eb38f47ae5f135 kdebase-2.2.2-12.ia64.rpm
36592e521a13904f8c4c0f5341d39f95 kdebase-devel-2.2.2-12.ia64.rpm
f0c10dff06590e9b3d4470a4f8b1f624 kdelibs-2.2.2-13.ia64.rpm
f8c9cebea143dcf5450cd8ca0105d724 kdelibs-devel-2.2.2-13.ia64.rpm
e2218bf3c2da78612dcaf84775f2b940 kdelibs-sound-2.2.2-13.ia64.rpm
2172bffd9baeb6ba3919c9510a8f8c61 kdelibs-sound-devel-2.2.2-13.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kdebase-2.2.2-12.src.rpm
1b2d27e8c9b4fbcc6f14b8b5d8f211de kdebase-2.2.2-12.src.rpm
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kdelibs-2.2.2-13.src.rpm
34cd7c8777facff45a8e5eeed312b3b4 kdelibs-2.2.2-13.src.rpm

i386:
2b9a999a24dd42549fac4e39790b8c17 arts-2.2.2-13.i386.rpm
2e4e89ab276d4783fca6effbb86abd45 kdebase-2.2.2-12.i386.rpm
3b7bdc19f63b066f030b02de2fd36fe6 kdebase-devel-2.2.2-12.i386.rpm
d6aebf57668023cb684b81236c32ce71 kdelibs-2.2.2-13.i386.rpm
20114a97ed08c90c3ecd41d1b462b6bf kdelibs-devel-2.2.2-13.i386.rpm
5ca2b715621e0cdec5e3cfc647739d3f kdelibs-sound-2.2.2-13.i386.rpm
65522ae63db9a60ec3b021099fa267ed kdelibs-sound-devel-2.2.2-13.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kdebase-2.2.2-12.src.rpm
1b2d27e8c9b4fbcc6f14b8b5d8f211de kdebase-2.2.2-12.src.rpm
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kdelibs-2.2.2-13.src.rpm
34cd7c8777facff45a8e5eeed312b3b4 kdelibs-2.2.2-13.src.rpm

i386:
2b9a999a24dd42549fac4e39790b8c17 arts-2.2.2-13.i386.rpm
2e4e89ab276d4783fca6effbb86abd45 kdebase-2.2.2-12.i386.rpm
3b7bdc19f63b066f030b02de2fd36fe6 kdebase-devel-2.2.2-12.i386.rpm
d6aebf57668023cb684b81236c32ce71 kdelibs-2.2.2-13.i386.rpm
20114a97ed08c90c3ecd41d1b462b6bf kdelibs-devel-2.2.2-13.i386.rpm
5ca2b715621e0cdec5e3cfc647739d3f kdelibs-sound-2.2.2-13.i386.rpm
65522ae63db9a60ec3b021099fa267ed kdelibs-sound-devel-2.2.2-13.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kdebase-3.1.3-5.4.src.rpm
e4d4e63c66ce9c682c85dc250e1e679d kdebase-3.1.3-5.4.src.rpm
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kdelibs-3.1.3-6.6.src.rpm
135f069e313d3cbf6483e08711958ee3 kdelibs-3.1.3-6.6.src.rpm

i386:
6d952551a98d11f296032defd42392bc kdebase-3.1.3-5.4.i386.rpm
2693da75dd6670f631dab884775881cc kdebase-devel-3.1.3-5.4.i386.rpm
266c7d206975aaaeddf4a611674e866e kdelibs-3.1.3-6.6.i386.rpm
bafda78112a389994916b0b0ced83ee2 kdelibs-devel-3.1.3-6.6.i386.rpm

ia64:
841744faecd1ee54f3790a123395e999 kdebase-3.1.3-5.4.ia64.rpm
ad4280e59a322ebda1801b5624a6bd2a kdebase-devel-3.1.3-5.4.ia64.rpm
f939dede59e2b87af5f8d32fb41bd7f2 kdelibs-3.1.3-6.6.ia64.rpm
0ea7d0872f7b9aaec7343fab3214791e kdelibs-devel-3.1.3-6.6.ia64.rpm

ppc:
e658798e8a2b5b7e1c63261f4e401a0c kdebase-3.1.3-5.4.ppc.rpm
9fe876d61e6cbee4450eb1790d666b88 kdebase-devel-3.1.3-5.4.ppc.rpm
478bbcde19aa9dfd6047d775b9b3fd97 kdelibs-3.1.3-6.6.ppc.rpm
d74c96bbdc599a943a0d73015487f1de kdelibs-devel-3.1.3-6.6.ppc.rpm

s390:
62c50a1e7fa5950240cb2df7821a2cc1 kdebase-3.1.3-5.4.s390.rpm
6c19f7ec956aa49f2f5a2d425bd93da1 kdebase-devel-3.1.3-5.4.s390.rpm
c41cb46b8353ab23344901df9eb7d813 kdelibs-3.1.3-6.6.s390.rpm
e0fd226e4c616aa6f661184f837cbf26 kdelibs-devel-3.1.3-6.6.s390.rpm

s390x:
59899ed9813ae1b6f23756f600322a86 kdebase-3.1.3-5.4.s390x.rpm
075a689d597dc89b3afea95cb16c7c69 kdebase-devel-3.1.3-5.4.s390x.rpm
759d0d56fb3837b3bbca0bf74c6edd9a kdelibs-3.1.3-6.6.s390x.rpm
8b26c56fcaa2bfa353a23ed80cf0de87 kdelibs-devel-3.1.3-6.6.s390x.rpm

x86_64:
272944753852fad10e47b9aad38af42a kdebase-3.1.3-5.4.x86_64.rpm
a9473976663eeecc906887e1c2dcfcb8 kdebase-devel-3.1.3-5.4.x86_64.rpm
57fb61c68d0aeca7b998d36cd6597541 kdelibs-3.1.3-6.6.x86_64.rpm
1b75fa2f076385cd5d9f0d977a921c03 kdelibs-devel-3.1.3-6.6.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kdebase-3.1.3-5.4.src.rpm
e4d4e63c66ce9c682c85dc250e1e679d kdebase-3.1.3-5.4.src.rpm
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kdelibs-3.1.3-6.6.src.rpm
135f069e313d3cbf6483e08711958ee3 kdelibs-3.1.3-6.6.src.rpm

i386:
6d952551a98d11f296032defd42392bc kdebase-3.1.3-5.4.i386.rpm
2693da75dd6670f631dab884775881cc kdebase-devel-3.1.3-5.4.i386.rpm
266c7d206975aaaeddf4a611674e866e kdelibs-3.1.3-6.6.i386.rpm
bafda78112a389994916b0b0ced83ee2 kdelibs-devel-3.1.3-6.6.i386.rpm

x86_64:
272944753852fad10e47b9aad38af42a kdebase-3.1.3-5.4.x86_64.rpm
a9473976663eeecc906887e1c2dcfcb8 kdebase-devel-3.1.3-5.4.x86_64.rpm
57fb61c68d0aeca7b998d36cd6597541 kdelibs-3.1.3-6.6.x86_64.rpm
1b75fa2f076385cd5d9f0d977a921c03 kdelibs-devel-3.1.3-6.6.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kdebase-3.1.3-5.4.src.rpm
e4d4e63c66ce9c682c85dc250e1e679d kdebase-3.1.3-5.4.src.rpm
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kdelibs-3.1.3-6.6.src.rpm
135f069e313d3cbf6483e08711958ee3 kdelibs-3.1.3-6.6.src.rpm

i386:
6d952551a98d11f296032defd42392bc kdebase-3.1.3-5.4.i386.rpm
2693da75dd6670f631dab884775881cc kdebase-devel-3.1.3-5.4.i386.rpm
266c7d206975aaaeddf4a611674e866e kdelibs-3.1.3-6.6.i386.rpm
bafda78112a389994916b0b0ced83ee2 kdelibs-devel-3.1.3-6.6.i386.rpm

ia64:
841744faecd1ee54f3790a123395e999 kdebase-3.1.3-5.4.ia64.rpm
ad4280e59a322ebda1801b5624a6bd2a kdebase-devel-3.1.3-5.4.ia64.rpm
f939dede59e2b87af5f8d32fb41bd7f2 kdelibs-3.1.3-6.6.ia64.rpm
0ea7d0872f7b9aaec7343fab3214791e kdelibs-devel-3.1.3-6.6.ia64.rpm

x86_64:
272944753852fad10e47b9aad38af42a kdebase-3.1.3-5.4.x86_64.rpm
a9473976663eeecc906887e1c2dcfcb8 kdebase-devel-3.1.3-5.4.x86_64.rpm
57fb61c68d0aeca7b998d36cd6597541 kdelibs-3.1.3-6.6.x86_64.rpm
1b75fa2f076385cd5d9f0d977a921c03 kdelibs-devel-3.1.3-6.6.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kdebase-3.1.3-5.4.src.rpm
e4d4e63c66ce9c682c85dc250e1e679d kdebase-3.1.3-5.4.src.rpm
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kdelibs-3.1.3-6.6.src.rpm
135f069e313d3cbf6483e08711958ee3 kdelibs-3.1.3-6.6.src.rpm

i386:
6d952551a98d11f296032defd42392bc kdebase-3.1.3-5.4.i386.rpm
2693da75dd6670f631dab884775881cc kdebase-devel-3.1.3-5.4.i386.rpm
266c7d206975aaaeddf4a611674e866e kdelibs-3.1.3-6.6.i386.rpm
bafda78112a389994916b0b0ced83ee2 kdelibs-devel-3.1.3-6.6.i386.rpm

ia64:
841744faecd1ee54f3790a123395e999 kdebase-3.1.3-5.4.ia64.rpm
ad4280e59a322ebda1801b5624a6bd2a kdebase-devel-3.1.3-5.4.ia64.rpm
f939dede59e2b87af5f8d32fb41bd7f2 kdelibs-3.1.3-6.6.ia64.rpm
0ea7d0872f7b9aaec7343fab3214791e kdelibs-devel-3.1.3-6.6.ia64.rpm

x86_64:
272944753852fad10e47b9aad38af42a kdebase-3.1.3-5.4.x86_64.rpm
a9473976663eeecc906887e1c2dcfcb8 kdebase-devel-3.1.3-5.4.x86_64.rpm
57fb61c68d0aeca7b998d36cd6597541 kdelibs-3.1.3-6.6.x86_64.rpm
1b75fa2f076385cd5d9f0d977a921c03 kdelibs-devel-3.1.3-6.6.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package

7. References:

http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721

8. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.