Fedora Legacy Test Update Notification: kdelibs

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Mar 2 01:21:36 UTC 2006 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-178606
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178606
2006-03-01
---------------------------------------------------------------------

Name        : kdelibs
Versions    : rh73: kdelibs-3.0.5a-0.73.7.legacy
Versions    : rh9: kdelibs-3.1-17.1.legacy
Versions    : fc1: kdelibs-3.1.4-9.FC1.1.legacy
Versions    : fc2: kdelibs-3.2.2-14.FC2.2.legacy
Versions    : fc3: kdelibs-3.4.2-1.fc3.1.legacy
Summary     : K Desktop Environment - Libraries
Description :
Libraries for the K Desktop Environment.

KDE Libraries include: kdecore (KDE core library), kdeui (user
interface), kfm (file manager), khtmlw (HTML widget), kio
(Input/Output, networking), kspell (spelling checker), jscript
(javascript), kab (addressbook), kimgio (image manipulation).
---------------------------------------------------------------------
Update Information:

Updated kdelibs packages that fix several security issues are now
available.

The kdelibs package provides libraries for the K Desktop Environment.

The International Domain Name (IDN) support in the Konqueror browser
allowed remote attackers to spoof domain names using punycode encoded
domain names. Such domain names are decoded in URLs and SSL certificates
in a way that uses homograph characters from other character sets, which
facilitates phishing attacks. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CVE-2005-0237 to this
issue.

Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop
Communication Protocol (DCOP) daemon. A local user could use this flaw
to stall the DCOP authentication process, affecting any local desktop
users and causing a reduction in their desktop functionality. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0396 to this issue.

A buffer overflow was found in the kimgio library for KDE 3.4.0. An
attacker could create a carefully crafted PCX image in such a way that
it would cause kimgio to execute arbitrary code when processing the
image. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2005-1046 to this issue.

A flaw was discovered affecting Kate, the KDE advanced text editor, and
Kwrite. Depending on system settings, it may be possible for a local
user to read the backup files created by Kate or Kwrite. The Common
Vulnerabilities and Exposures project assigned the name CVE-2005-1920 to
this issue.

A heap overflow flaw was discovered affecting kjs, the JavaScript
interpreter engine used by Konqueror and other parts of KDE. An attacker
could create a malicious web site containing carefully crafted
JavaScript code that would trigger this flaw and possibly lead to
arbitrary code execution. The Common Vulnerabilities and Exposures
project assigned the name CVE-2006-0019 to this issue.

Users of KDE should upgrade to these erratum packages, which contain
backported patches to correct these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Thu Feb 23 2006 David Eisenstein <deisenst at gtw.net> 6:3.0.5a-0.73.7.legacy
- Add patch #26 for CAN-2005-0396, local DCOP denial of service
vulnerability.
  Bugzilla #178606.

rh9:
* Thu Feb 23 2006 David Eisenstein <deisenst at gtw.net> 6:3.0.5a-0.73.7.legacy
- Add patch #106 for CAN-2005-0396, local DCOP denial of service
  vulnerability.  Bugzilla #178606.

fc1:
* Fri Feb 24 2006 David Eisenstein <deisenst at gtw.net> 6:3.1.4-9.FC1.1.legacy
- Add patch #107 for CAN-2005-0396, local DCOP denial of service
  vulnerability.  Bugzilla #178606.

fc2:
* Tue Feb 14 2006 David Eisenstein <deisenst at gtw.net>
6:3.2.2-14.FC2.2.legacy
- Make slight mod to Konqueror IDN patch, changing the paths in the patch,
  so it will apply correctly.

* Tue Feb 14 2006 David Eisenstein <deisenst at gtw.net>
6:3.2.2-14.FC2.1.legacy
- Applied patch for Konqueror International Domain Name Spoofing,
  CAN-2005-0237, #178606
- Patch for kimgio input validation errors, CAN-2005-1046, #178606
- Patch for Kate backup file permission leak, CAN-2005-1920, #178606
- Add critical patch for kjs encodeuri/decodeuri heap overflow
vulnerability,
  CVE-2006-0019, #178606.

fc3:
* Wed Feb 08 2006 David Eisenstein <deisenst at gtw.net> 6:3.4.2-1.fc3.1.legacy
- Add fix for CVE-2006-0019, kjs encodeuri/decodeuri heap overflow
vulnerability  Bug #178606.

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
2f2d25474d7f6c68b77e376684f3835cd61123e4
redhat/7.3/updates-testing/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm
c153c581d132fc5ae882167d3319f103652043dd
redhat/7.3/updates-testing/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm
7ad24efea3cd775ad8bc649128d64875eec1554e
redhat/7.3/updates-testing/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm

rh9:
f527dda13ccda9cd86542014e749587548b82a32
redhat/9/updates-testing/i386/kdelibs-3.1-17.1.legacy.i386.rpm
6e22f76a8310051d285d60817066659f4429b633
redhat/9/updates-testing/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm
7d8b9b30352004864252d7f2a72a877f062adf0f
redhat/9/updates-testing/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm

fc1:
3de25dd41842099dca0cf142adef2c4fe35bcfce
fedora/1/updates-testing/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm
5d48525f08c39c3f73ca1d547be6aa0335c02a02
fedora/1/updates-testing/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm
14c5cab3afedd32f05324ced28cd9abda3349ff1
fedora/1/updates-testing/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm

fc2:
944bbc21e569bc63544f540783eedf4ecf430d2f
fedora/2/updates-testing/i386/kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm
6d15fbaa66fbadf6fa19ce3feb04e4c71ef18dfe
fedora/2/updates-testing/i386/kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm
1b2a47dcae3e180dc2b0ccecdff5dca12b914393
fedora/2/updates-testing/SRPMS/kdelibs-3.2.2-14.FC2.2.legacy.src.rpm

fc3:
4d217b3e16c4624ff14b9615ab7720efbaaff7e8
fedora/3/updates-testing/i386/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
c861158a8f3734f0ae633fc46cd8705c6d5fc0ad
fedora/3/updates-testing/i386/kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm
4d217b3e16c4624ff14b9615ab7720efbaaff7e8
fedora/3/updates-testing/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm
8d37c651ebe27beb56c34383972128a18e8e3c4d
fedora/3/updates-testing/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm
10cabc626d4c0570999ccd70aa8e248f31b49f8f
fedora/3/updates-testing/x86_64/kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm
bb0dc7875106e2b71d30a5a8f2df6737aee4a80a
fedora/3/updates-testing/SRPMS/kdelibs-3.4.2-1.fc3.1.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20060301/6fdd823d/attachment.sig>

More information about the fedora-legacy-list mailing list