Red Hat 9038 Published by

Fedora Legacy Update Advisory

Synopsis: Updated kdelibs packages fix security issues
Advisory ID: FLSA:178606
Issue date: 2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-0237 CVE-2005-0396 CVE-2005-1046
CVE-2005-1920 CVE-2006-0019
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

Updated kdelibs packages that fix several security issues are now
available.

The kdelibs package provides libraries for the K Desktop Environment.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

The International Domain Name (IDN) support in the Konqueror browser
allowed remote attackers to spoof domain names using punycode encoded
domain names. Such domain names are decoded in URLs and SSL certificates
in a way that uses homograph characters from other character sets, which
facilitates phishing attacks. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CVE-2005-0237 to this
issue.

Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop
Communication Protocol (DCOP) daemon. A local user could use this flaw
to stall the DCOP authentication process, affecting any local desktop
users and causing a reduction in their desktop functionality. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0396 to this issue.

A buffer overflow was found in the kimgio library for KDE 3.4.0. An
attacker could create a carefully crafted PCX image in such a way that
it would cause kimgio to execute arbitrary code when processing the
image. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-1046 to this issue.

A flaw was discovered affecting Kate, the KDE advanced text editor, and
Kwrite. Depending on system settings, it may be possible for a local
user to read the backup files created by Kate or Kwrite. The Common
Vulnerabilities and Exposures project assigned the name CVE-2005-1920 to
this issue.

A heap overflow flaw was discovered affecting kjs, the JavaScript
interpreter engine used by Konqueror and other parts of KDE. An attacker
could create a malicious web site containing carefully crafted
JavaScript code that would trigger this flaw and possibly lead to
arbitrary code execution. The Common Vulnerabilities and Exposures
project assigned the name CVE-2006-0019 to this issue.

Users of KDE should upgrade to these erratum packages, which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178606

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-3.1-17.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/kdelibs-3.2.2-14.FC2.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/kdelibs-3.4.2-1.fc3.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

2f2d25474d7f6c68b77e376684f3835cd61123e4
redhat/7.3/updates/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm
c153c581d132fc5ae882167d3319f103652043dd
redhat/7.3/updates/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm
7ad24efea3cd775ad8bc649128d64875eec1554e
redhat/7.3/updates/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm

f527dda13ccda9cd86542014e749587548b82a32
redhat/9/updates/i386/kdelibs-3.1-17.1.legacy.i386.rpm
6e22f76a8310051d285d60817066659f4429b633
redhat/9/updates/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm
7d8b9b30352004864252d7f2a72a877f062adf0f
redhat/9/updates/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm

3de25dd41842099dca0cf142adef2c4fe35bcfce
fedora/1/updates/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm
5d48525f08c39c3f73ca1d547be6aa0335c02a02
fedora/1/updates/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm
14c5cab3afedd32f05324ced28cd9abda3349ff1
fedora/1/updates/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm

944bbc21e569bc63544f540783eedf4ecf430d2f
fedora/2/updates/i386/kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm
6d15fbaa66fbadf6fa19ce3feb04e4c71ef18dfe
fedora/2/updates/i386/kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm
1b2a47dcae3e180dc2b0ccecdff5dca12b914393
fedora/2/updates/SRPMS/kdelibs-3.2.2-14.FC2.2.legacy.src.rpm

4d217b3e16c4624ff14b9615ab7720efbaaff7e8
fedora/3/updates/i386/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
c861158a8f3734f0ae633fc46cd8705c6d5fc0ad
fedora/3/updates/i386/kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm
4d217b3e16c4624ff14b9615ab7720efbaaff7e8
fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
8d37c651ebe27beb56c34383972128a18e8e3c4d
fedora/3/updates/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm
10cabc626d4c0570999ccd70aa8e248f31b49f8f
fedora/3/updates/x86_64/kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm
bb0dc7875106e2b71d30a5a8f2df6737aee4a80a
fedora/3/updates/SRPMS/kdelibs-3.4.2-1.fc3.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1920
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org