rhn.redhat.com | Red Hat Support

Red Hat Linux 6.0 Security Advisory

Package KDE

Synopsis KDE update for Red Hat Linux 6.0

Advisory ID RHSA-1999:015-01

Issue Date 1999-06-21

Keywords kde kdm kvt kmail 1.1.1

1. Topic:
New KDE RPMs are available for Red Hat Linux 6.0. These RPMs upgrade the 1.1.1pre2 release to 1.1.1 final + fixes. Several security holes have been closed, and other bugs noted in the original RPMs have been corrected.

2. Bug IDs fixed:
2877 3433

3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures

4. Obsoleted by:
None

5. Conflicts with:
None

6. RPMs required:

Intel:
ftp://updates.redhat.com/6.0/en/os/i386/
kdeadmin-1.1.2-3.i386.rpm
kdebase-1.1.2-11.i386.rpm
kdegames-1.1.2-2.i386.rpm
kdegraphics-1.1.2-2.i386.rpm
kdelibs-1.1.2-9.i386.rpm
kdemultimedia-1.1.2-3.i386.rpm
kdenetwork-1.1.2-4.i386.rpm
kdesupport-1.1.2-3.i386.rpm
kdetoys-1.1.2-2.i386.rpm
kdeutils-1.1.2-2.i386.rpm
korganizer-1.1.1-2.i386.rpm
kpilot-3.1b9-3.i386.rpm

Alpha:
ftp://updates.redhat.com/6.0/en/os/alpha/
kdeadmin-1.1.2-3.alpha.rpm
kdebase-1.1.2-11.alpha.rpm
kdegames-1.1.2-2.alpha.rpm
kdegraphics-1.1.2-2.alpha.rpm
kdelibs-1.1.2-9.alpha.rpm
kdemultimedia-1.1.2-3.alpha.rpm
kdenetwork-1.1.2-4.alpha.rpm
kdesupport-1.1.2-3.alpha.rpm
kdetoys-1.1.2-2.alpha.rpm
kdeutils-1.1.2-2.alpha.rpm
korganizer-1.1.1-2.alpha.rpm
kpilot-3.1b9-3.alpha.rpm

SPARC:
ftp://updates.redhat.com/6.0/en/os/sparc/
kdeadmin-1.1.2-3.sparc.rpm
kdebase-1.1.2-11.sparc.rpm
kdegames-1.1.2-2.sparc.rpm
kdegraphics-1.1.2-2.sparc.rpm
kdelibs-1.1.2-9.sparc.rpm
kdemultimedia-1.1.2-3.sparc.rpm
kdenetwork-1.1.2-4.sparc.rpm
kdesupport-1.1.2-3.sparc.rpm
kdetoys-1.1.2-2.sparc.rpm
kdeutils-1.1.2-2.sparc.rpm
korganizer-1.1.1-2.sparc.rpm
kpilot-3.1b9-3.sparc.rpm

7. Problem description:
Red Hat Linux 6.0 shipped with KDE 1.1.1pre2, the latest release available at the time we went into production. There were a number of configuration and security bugs in the original packages.
kmail, the kde mail reader, had a bug related to decoding mime attachments in an unsafe manner. Attachments were written using an easily predictable filename to a temporary directory. This could could then be be exploited to overwrite arbitrary files owned by the person using kmail via a symlink attack.

8. Solution:
Upgrade to KDE 1.1.1 final, which fixes a number of bugs present in the previous release and contains additional patches to correct security holes in kmail and kvt.
For each RPM for your particular architecture, run:
rpm -Uvh FILENAME
where filename is the name of the RPM.

9. Verification:
These packages are also PGP signed by Red Hat Inc. for security. Our key is available at:
http://www.redhat.com/about/contact.html
You can verify each package with the following command:
rpm --checksig
If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp

10. References:
http://www.geek-girl.com/bugtraq/1999_2/0685.html This URL describes the kmail security hole.