From security@linux-mandrake.com Sat Aug 21 03:25:37 2004 From: Mandrake Linux Security Team To: full-disclosure@lists.netsys.com Date: 21 Aug 2004 06:40:10 -0000 Subject: [Full-Disclosure] MDKSA-2004:086 - Updated kdelibs and kdebase packages fix multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: kdelibs/kdebase Advisory ID: MDKSA-2004:086 Date: August 20th, 2004 Affected versions: 10.0, 9.2 ______________________________________________________________________ Problem Description: A number of vulnerabilities were discovered in KDE that are corrected with these update packages. The integrity of symlinks used by KDE are not ensured and as a result can be abused by local attackers to create or truncate arbitrary files or to prevent KDE applications from functioning correctly (CAN-2004-0689). The DCOPServer creates temporary files in an insecure manner. These temporary files are used for authentication-related purposes, so this could potentially allow a local attacker to compromise the account of any user running a KDE application (CAN-2004-0690). Note that only KDE 3.2.x is affected by this vulnerability. The Konqueror web browser allows websites to load web pages into a frame of any other frame-based web page that the user may have open. This could potentially allow a malicious website to make Konqueror insert its own frames into the page of an otherwise trusted website (CAN-02004-0721). The Konqueror web browser also allows websites to set cookies for certain country-specific top-level domains. This can be done to make Konqueror send the cookies to all other web sites operating under the same domain, which can be abused to become part of a session fixation attack. All country-specific secondary top-level domains that use more than 2 characters in the secondary part of the domain name, and that use a secondary part other than com, net, mil, org, gove, edu, or int are affected (CAN-2004-0746). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0746 http://www.kde.org/info/security/advisory-20040811-1.txt http://www.kde.org/info/security/advisory-20040811-2.txt http://www.kde.org/info/security/advisory-20040811-3.txt http://www.kde.org/info/security/advisory-20040820-1.txt ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 510438b78f3516746d4b4ed60ac212b3 10.0/RPMS/kdebase-3.2-79.2.100mdk.i586.rpm c8cf4ce9cf1d249b4a2bed3c66528803 10.0/RPMS/kdebase-common-3.2-79.2.100mdk.i586.rpm d38633d8cba665bbe1237813e45b0f7b 10.0/RPMS/kdebase-kate-3.2-79.2.100mdk.i586.rpm 5854609ecb04e39b0bc07e9a33778488 10.0/RPMS/kdebase-kcontrol-data-3.2-79.2.100mdk.i586.rpm 48727a4e1dd5df1bd52276f03ae8edd3 10.0/RPMS/kdebase-kdeprintfax-3.2-79.2.100mdk.i586.rpm 52fc69771ec698ba332870cbfa618a60 10.0/RPMS/kdebase-kdm-3.2-79.2.100mdk.i586.rpm d3ae0bc755db0665e12472a2e22ebd90 10.0/RPMS/kdebase-kdm-config-file-3.2-79.2.100mdk.i586.rpm 85d8b0ebf0421963f652424b0441145c 10.0/RPMS/kdebase-kmenuedit-3.2-79.2.100mdk.i586.rpm 222d9900d8f30961f04b870c5a949a1f 10.0/RPMS/kdebase-konsole-3.2-79.2.100mdk.i586.rpm 554b091c26d0461831323389292cc72d 10.0/RPMS/kdebase-nsplugins-3.2-79.2.100mdk.i586.rpm 487748d51da06a36180d18a0cedda4c5 10.0/RPMS/kdebase-progs-3.2-79.2.100mdk.i586.rpm 0f4088f33543e6f0f263537964cfccee 10.0/RPMS/kdelibs-common-3.2-36.3.100mdk.i586.rpm 9cc536b2ffd48b6b5354ba8967638d3e 10.0/RPMS/libkdebase4-3.2-79.2.100mdk.i586.rpm 32ed1e7ed670e6c01716f491b8181e8d 10.0/RPMS/libkdebase4-devel-3.2-79.2.100mdk.i586.rpm ea55a16ba1f7cd6ea2dabd274ce023bf 10.0/RPMS/libkdebase4-kate-3.2-79.2.100mdk.i586.rpm df122aa36fd811d3d97aafcff1d6aed7 10.0/RPMS/libkdebase4-kate-devel-3.2-79.2.100mdk.i586.rpm 598709de41b8101c44e0a82e52718340 10.0/RPMS/libkdebase4-kmenuedit-3.2-79.2.100mdk.i586.rpm 71f277606a8b5d17ca3f7a09aba486f7 10.0/RPMS/libkdebase4-konsole-3.2-79.2.100mdk.i586.rpm bceb452042e0c72d475139f4efe7a0c5 10.0/RPMS/libkdebase4-nsplugins-3.2-79.2.100mdk.i586.rpm ffc1728d50b17dd3cae6f1e2ad0589e2 10.0/RPMS/libkdebase4-nsplugins-devel-3.2-79.2.100mdk.i586.rpm 82d343a84048b56353c97b72b771ea81 10.0/RPMS/libkdecore4-3.2-36.3.100mdk.i586.rpm 7fd56a29040d0708e5d4650228c3534d 10.0/RPMS/libkdecore4-devel-3.2-36.3.100mdk.i586.rpm d2a3e8c4391af933ebc2e48cc4aa8dee 10.0/SRPMS/kdebase-3.2-79.2.100mdk.src.rpm 93330083dd59710108f6977107562aaf 10.0/SRPMS/kdelibs-3.2-36.3.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 8edf6ee3527aef3399db27ee98d39c6f amd64/10.0/RPMS/kdebase-3.2-79.2.100mdk.amd64.rpm 58b4defe043743d137f05b27bb7c0c87 amd64/10.0/RPMS/kdebase-common-3.2-79.2.100mdk.amd64.rpm 6bc0bdb8dcebfd4f9a010a8a257c67f6 amd64/10.0/RPMS/kdebase-kate-3.2-79.2.100mdk.amd64.rpm 0cd79e56ddf5fcdaa08bb9d6d60103f8 amd64/10.0/RPMS/kdebase-kcontrol-data-3.2-79.2.100mdk.amd64.rpm 0c7e8f118a150dbe63eac16476571cec amd64/10.0/RPMS/kdebase-kdeprintfax-3.2-79.2.100mdk.amd64.rpm f659c4d625218bde4dbf87cf0c457faa amd64/10.0/RPMS/kdebase-kdm-3.2-79.2.100mdk.amd64.rpm 2065540f835e04eb269c1ab3e070289b amd64/10.0/RPMS/kdebase-kdm-config-file-3.2-79.2.100mdk.amd64.rpm 02a45357b22c1374d6919b70997b4b8d amd64/10.0/RPMS/kdebase-kmenuedit-3.2-79.2.100mdk.amd64.rpm 6db6c45484be318eb53d5cbeef9a6e0e amd64/10.0/RPMS/kdebase-konsole-3.2-79.2.100mdk.amd64.rpm 567cae5415e7b1d3d8091d264ca98ea2 amd64/10.0/RPMS/kdebase-nsplugins-3.2-79.2.100mdk.amd64.rpm 6c597ced6b9590ebfc5ed1b8fef8190c amd64/10.0/RPMS/kdebase-progs-3.2-79.2.100mdk.amd64.rpm c7c0135d79620f0a6002d546408e7be0 amd64/10.0/RPMS/kdelibs-common-3.2-36.3.100mdk.amd64.rpm 57e18c9dca64cb6d4201f49719a0f591 amd64/10.0/RPMS/lib64kdebase4-3.2-79.2.100mdk.amd64.rpm aec6a23128624c32cf8ff302e15a0dce amd64/10.0/RPMS/lib64kdebase4-devel-3.2-79.2.100mdk.amd64.rpm d331d129437e959fe5952645205c602b amd64/10.0/RPMS/lib64kdebase4-kate-3.2-79.2.100mdk.amd64.rpm eac31119b4c7450e59bc4f855fef8ee3 amd64/10.0/RPMS/lib64kdebase4-kate-devel-3.2-79.2.100mdk.amd64.rpm 7692a8d3eb9085c4e01a6f82d22e54ea amd64/10.0/RPMS/lib64kdebase4-kmenuedit-3.2-79.2.100mdk.amd64.rpm 0dfd8eb1e9389b810cd541cbe78bbb37 amd64/10.0/RPMS/lib64kdebase4-konsole-3.2-79.2.100mdk.amd64.rpm 8611b9991340db56c60c4cc25cbe5a95 amd64/10.0/RPMS/lib64kdebase4-nsplugins-3.2-79.2.100mdk.amd64.rpm a72df10c2073f103963b763b68e1d6eb amd64/10.0/RPMS/lib64kdebase4-nsplugins-devel-3.2-79.2.100mdk.amd64.rpm 249dd74dd637791186829757f06a1291 amd64/10.0/RPMS/lib64kdecore4-3.2-36.3.100mdk.amd64.rpm 308cf4ac4d2eddb590e8e867175c2311 amd64/10.0/RPMS/lib64kdecore4-devel-3.2-36.3.100mdk.amd64.rpm d2a3e8c4391af933ebc2e48cc4aa8dee amd64/10.0/SRPMS/kdebase-3.2-79.2.100mdk.src.rpm 93330083dd59710108f6977107562aaf amd64/10.0/SRPMS/kdelibs-3.2-36.3.100mdk.src.rpm Mandrakelinux 9.2: 7a437fd66146531dd156af9466460b7f 9.2/RPMS/kdebase-3.1.3-79.2.92mdk.i586.rpm 46678bcc9b2e2af5f5b83b419d022522 9.2/RPMS/kdebase-common-3.1.3-79.2.92mdk.i586.rpm abee5d0c191812f382c6247ca87ad466 9.2/RPMS/kdebase-kate-3.1.3-79.2.92mdk.i586.rpm 9afe4816f3316c153105f6fe60eb5c27 9.2/RPMS/kdebase-kdeprintfax-3.1.3-79.2.92mdk.i586.rpm 314684650edf45d258955afd7a0cd71a 9.2/RPMS/kdebase-kdm-3.1.3-79.2.92mdk.i586.rpm cebc25881d037ce59f3de2cc3ba7f3f3 9.2/RPMS/kdebase-kdm-config-file-3.1.3-79.2.92mdk.i586.rpm 538d05e93fd88a3c57cb358b5cd36dd4 9.2/RPMS/kdebase-konsole-3.1.3-79.2.92mdk.i586.rpm d48c6377c5b580d668135c4afdddf3d1 9.2/RPMS/kdebase-nsplugins-3.1.3-79.2.92mdk.i586.rpm f2ad83707508d33d9dd63d77ec2d82e8 9.2/RPMS/kdebase-progs-3.1.3-79.2.92mdk.i586.rpm beca2c6a0458a32f8433cfd3702733e6 9.2/RPMS/kdelibs-common-3.1.3-35.3.92mdk.i586.rpm 285672f9688c2fb212b51398dc3085c1 9.2/RPMS/libkdebase4-3.1.3-79.2.92mdk.i586.rpm 382e809df95c5b9ecf3cf64521a71816 9.2/RPMS/libkdebase4-devel-3.1.3-79.2.92mdk.i586.rpm d6ff93e7d16d284a96c6113c784ae60f 9.2/RPMS/libkdebase4-kate-3.1.3-79.2.92mdk.i586.rpm 9e710e6502f32e9fa12e621e9cfdf4d0 9.2/RPMS/libkdebase4-kate-devel-3.1.3-79.2.92mdk.i586.rpm 47a2a05820b54bec347afd26da339203 9.2/RPMS/libkdebase4-konsole-3.1.3-79.2.92mdk.i586.rpm 4863e95228969e3ed2f9daa2278d4276 9.2/RPMS/libkdebase4-nsplugins-3.1.3-79.2.92mdk.i586.rpm 85dabe0527172fdf9202c724776d9d62 9.2/RPMS/libkdebase4-nsplugins-devel-3.1.3-79.2.92mdk.i586.rpm f0add02f5422c3f62cfbecd0f2a26b2d 9.2/RPMS/libkdecore4-3.1.3-35.3.92mdk.i586.rpm e8923bf7bc65c13bdd8fd18208ab550e 9.2/RPMS/libkdecore4-devel-3.1.3-35.3.92mdk.i586.rpm c54061baeb0b3498ccf8d776dc36fd9d 9.2/SRPMS/kdebase-3.1.3-79.2.92mdk.src.rpm 0e24de240e1a84326df7332499b452c7 9.2/SRPMS/kdelibs-3.1.3-35.3.92mdk.src.rpm Mandrakelinux 9.2/AMD64: daf7342d2c27f510597058428738a5d3 amd64/9.2/RPMS/kdebase-3.1.3-79.2.92mdk.amd64.rpm b03fbd0ebd368d78616c99adbfcbfdd2 amd64/9.2/RPMS/kdebase-common-3.1.3-79.2.92mdk.amd64.rpm 46c62f4ef453fa25213ff26d47e46057 amd64/9.2/RPMS/kdebase-kate-3.1.3-79.2.92mdk.amd64.rpm 5ec5e4dd405ce0605780553ddbd47604 amd64/9.2/RPMS/kdebase-kdeprintfax-3.1.3-79.2.92mdk.amd64.rpm f124a86ffaa161f8101344c0bda1ae39 amd64/9.2/RPMS/kdebase-kdm-3.1.3-79.2.92mdk.amd64.rpm 36da16dd458a163090098aeefe5eb619 amd64/9.2/RPMS/kdebase-kdm-config-file-3.1.3-79.2.92mdk.amd64.rpm 7c12240ad3e6b73fd0b24ae4d98fc0da amd64/9.2/RPMS/kdebase-konsole-3.1.3-79.2.92mdk.amd64.rpm b8c04a16954a7374b6194415f6e5e15a amd64/9.2/RPMS/kdebase-nsplugins-3.1.3-79.2.92mdk.amd64.rpm 6f855be2d1961dc75c5f1283cd25e71b amd64/9.2/RPMS/kdebase-progs-3.1.3-79.2.92mdk.amd64.rpm b9a0ba03005f212d8f2c8f5b952ef8e2 amd64/9.2/RPMS/kdelibs-common-3.1.3-35.3.92mdk.amd64.rpm 999bf091090905ea8d07aec1ec97fed2 amd64/9.2/RPMS/lib64kdebase4-3.1.3-79.2.92mdk.amd64.rpm b744accc86241864b23662265a6f2c9f amd64/9.2/RPMS/lib64kdebase4-devel-3.1.3-79.2.92mdk.amd64.rpm 596fefe16698fecd8d7ce04f19d048ff amd64/9.2/RPMS/lib64kdebase4-kate-3.1.3-79.2.92mdk.amd64.rpm caa45d71983b623a59923b18f6bb4f69 amd64/9.2/RPMS/lib64kdebase4-kate-devel-3.1.3-79.2.92mdk.amd64.rpm 7dd01ca77c94ff3a018dd5779605e67c amd64/9.2/RPMS/lib64kdebase4-konsole-3.1.3-79.2.92mdk.amd64.rpm 1d3f7e3e031df08ed17f77df6505cb47 amd64/9.2/RPMS/lib64kdebase4-nsplugins-3.1.3-79.2.92mdk.amd64.rpm f6f15ceb62c4abde32406bc1ae75b864 amd64/9.2/RPMS/lib64kdebase4-nsplugins-devel-3.1.3-79.2.92mdk.amd64.rpm 9478889d65eff687203a5ccf19ca3a28 amd64/9.2/RPMS/lib64kdecore4-3.1.3-35.3.92mdk.amd64.rpm 3c53063491a5f3a5ca4e51708fd85763 amd64/9.2/RPMS/lib64kdecore4-devel-3.1.3-35.3.92mdk.amd64.rpm c54061baeb0b3498ccf8d776dc36fd9d amd64/9.2/SRPMS/kdebase-3.1.3-79.2.92mdk.src.rpm 0e24de240e1a84326df7332499b452c7 amd64/9.2/SRPMS/kdelibs-3.1.3-35.3.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBJu5KmqjQ0CJFipgRAlWiAKDXTRUqWqhoeRAivy7VOzPKCq/V4wCfZN8o GMqJ2higHvhiSI/uKyg5Xyg= =ER04 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html