Security Advisory Moderate: kdelibs security update

Advisory: RHSA-2007:0909-5
Type: Security Advisory
Severity: Moderate
Issued on: 2007-10-08
Last updated on: 2007-10-08
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2007-0242
CVE-2007-0537
CVE-2007-1308
CVE-2007-1564
CVE-2007-3820
CVE-2007-4224

Details

Updated kdelibs packages that resolve several security flaws are
now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The kdelibs package provides libraries for the K Desktop Environment (KDE).

Two cross-site-scripting flaws were found in the way Konqueror processes
certain HTML content. This could result in a malicious attacker presenting
misleading content to an unsuspecting user. (CVE-2007-0242, CVE-2007-0537)

A flaw was found in KDE JavaScript implementation. A web page containing
malicious JavaScript code could cause Konqueror to crash. (CVE-2007-1308)

A flaw was found in the way Konqueror handled certain FTP PASV commands.
A malicious FTP server could use this flaw to perform a rudimentary
port-scan of machines behind a user's firewall. (CVE-2007-1564)

Two Konqueror address spoofing flaws have been discovered. It was
possible for a malicious website to cause the Konqueror address bar to
display information which could trick a user into believing they are at a
different website than they actually are. (CVE-2007-3820, CVE-2007-4224)

Users of KDE should upgrade to these updated packages, which contain
backported patches to correct these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
IA-32:
kdelibs-devel-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     222f3e3b226bae96dd7083e6e47c4350
 
x86_64:
kdelibs-devel-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     222f3e3b226bae96dd7083e6e47c4350
kdelibs-devel-3.5.4-13.el5.x86_64.rpm
File outdated by:  RHBA-2008:0373		     7beda8e6b585f62c52e032c6cdee89ea
 
Red Hat Desktop (v. 4)
SRPMS:
kdelibs-3.3.1-9.el4.src.rpm
File outdated by:  RHBA-2008:0670		     4bf1df171502ccaac9c4b9f4af27c5a4
 
IA-32:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-devel-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     48f2c42b62fe794d35580947197203f6
 
x86_64:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-3.3.1-9.el4.x86_64.rpm
File outdated by:  RHBA-2008:0670		     45ff0822118c370120cffe8f4f438c95
kdelibs-devel-3.3.1-9.el4.x86_64.rpm
File outdated by:  RHBA-2008:0670		     28d4cbc0fa36755077ade9d68253e6d3
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
kdelibs-3.5.4-13.el5.src.rpm
File outdated by:  RHBA-2008:0373		     e6ceb931f57d243382512a4e05987c66
 
IA-32:
kdelibs-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     2cf541a483fe1fbda5f2894f429dd029
kdelibs-apidocs-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     fcb32b8d69e5a8650a53b5d6ac347e66
kdelibs-devel-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     222f3e3b226bae96dd7083e6e47c4350
 
IA-64:
kdelibs-3.5.4-13.el5.ia64.rpm
File outdated by:  RHBA-2008:0373		     f5dbf1ec8eceebb294fb9d23b95b4364
kdelibs-apidocs-3.5.4-13.el5.ia64.rpm
File outdated by:  RHBA-2008:0373		     cc7710e3dc78bfdccf3ada21f8fbb9de
kdelibs-devel-3.5.4-13.el5.ia64.rpm
File outdated by:  RHBA-2008:0373		     e64135af218a2b089ce7005fed87a04b
 
PPC:
kdelibs-3.5.4-13.el5.ppc.rpm
File outdated by:  RHBA-2008:0373		     29bd915319ed22e56e0d137253cc852b
kdelibs-3.5.4-13.el5.ppc64.rpm
File outdated by:  RHBA-2008:0373		     46615b20f403cbeb477f86c46c67ac44
kdelibs-apidocs-3.5.4-13.el5.ppc.rpm
File outdated by:  RHBA-2008:0373		     eecf5dc5a052e5defdd3a6816d5b9ae2
kdelibs-devel-3.5.4-13.el5.ppc.rpm
File outdated by:  RHBA-2008:0373		     7c556ec7f4c29086ce2dcdee62f5fd14
kdelibs-devel-3.5.4-13.el5.ppc64.rpm
File outdated by:  RHBA-2008:0373		     2be63373a24d12f1206fe81de6e2c1e9
 
s390x:
kdelibs-3.5.4-13.el5.s390.rpm
File outdated by:  RHBA-2008:0373		     230dcdb2da9a862e102b32168c792885
kdelibs-3.5.4-13.el5.s390x.rpm
File outdated by:  RHBA-2008:0373		     0bfb7027d74d2e5d1d4128aa29673227
kdelibs-apidocs-3.5.4-13.el5.s390x.rpm
File outdated by:  RHBA-2008:0373		     e750100c621dcc5143b22c47a9e3ca0b
kdelibs-devel-3.5.4-13.el5.s390.rpm
File outdated by:  RHBA-2008:0373		     612e4e315bbb301dfc449d9c270f293e
kdelibs-devel-3.5.4-13.el5.s390x.rpm
File outdated by:  RHBA-2008:0373		     e7937888bf5d32ba188396ee82bf2fd1
 
x86_64:
kdelibs-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     2cf541a483fe1fbda5f2894f429dd029
kdelibs-3.5.4-13.el5.x86_64.rpm
File outdated by:  RHBA-2008:0373		     68709b52718e0745e3dbd5bb7a04230b
kdelibs-apidocs-3.5.4-13.el5.x86_64.rpm
File outdated by:  RHBA-2008:0373		     3f8d019e0ecfcf919d5b3c55757e6101
kdelibs-devel-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     222f3e3b226bae96dd7083e6e47c4350
kdelibs-devel-3.5.4-13.el5.x86_64.rpm
File outdated by:  RHBA-2008:0373		     7beda8e6b585f62c52e032c6cdee89ea
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
kdelibs-3.3.1-9.el4.src.rpm
File outdated by:  RHBA-2008:0670		     4bf1df171502ccaac9c4b9f4af27c5a4
 
IA-32:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-devel-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     48f2c42b62fe794d35580947197203f6
 
IA-64:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-3.3.1-9.el4.ia64.rpm
File outdated by:  RHBA-2008:0670		     3df7ac0ae7500ccc3ce57d6f34bf475a
kdelibs-devel-3.3.1-9.el4.ia64.rpm
File outdated by:  RHBA-2008:0670		     fe8fe5f994ab48ae8fab363832419204
 
PPC:
kdelibs-3.3.1-9.el4.ppc.rpm
File outdated by:  RHBA-2008:0670		     7b134aed54478415a8e4be498be8e919
kdelibs-3.3.1-9.el4.ppc64.rpm
File outdated by:  RHBA-2008:0670		     464d937764cf050cb37f213dc677ed8d
kdelibs-devel-3.3.1-9.el4.ppc.rpm
File outdated by:  RHBA-2008:0670		     d134d0d0233a59b060b3befd9f12ae14
 
s390:
kdelibs-3.3.1-9.el4.s390.rpm
File outdated by:  RHBA-2008:0670		     f3655e6c3230a2afc0e24569b1226cf9
kdelibs-devel-3.3.1-9.el4.s390.rpm
File outdated by:  RHBA-2008:0670		     21c32310827a4e7572be6750bd16e6ca
 
s390x:
kdelibs-3.3.1-9.el4.s390.rpm
File outdated by:  RHBA-2008:0670		     f3655e6c3230a2afc0e24569b1226cf9
kdelibs-3.3.1-9.el4.s390x.rpm
File outdated by:  RHBA-2008:0670		     b79978750768f1786f90bbfb5fe50c88
kdelibs-devel-3.3.1-9.el4.s390x.rpm
File outdated by:  RHBA-2008:0670		     9f9d7f3481582d30eff7b9b826a14ebe
 
x86_64:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-3.3.1-9.el4.x86_64.rpm
File outdated by:  RHBA-2008:0670		     45ff0822118c370120cffe8f4f438c95
kdelibs-devel-3.3.1-9.el4.x86_64.rpm
File outdated by:  RHBA-2008:0670		     28d4cbc0fa36755077ade9d68253e6d3
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
kdelibs-3.5.4-13.el5.src.rpm
File outdated by:  RHBA-2008:0373		     e6ceb931f57d243382512a4e05987c66
 
IA-32:
kdelibs-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     2cf541a483fe1fbda5f2894f429dd029
kdelibs-apidocs-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     fcb32b8d69e5a8650a53b5d6ac347e66
 
x86_64:
kdelibs-3.5.4-13.el5.i386.rpm
File outdated by:  RHBA-2008:0373		     2cf541a483fe1fbda5f2894f429dd029
kdelibs-3.5.4-13.el5.x86_64.rpm
File outdated by:  RHBA-2008:0373		     68709b52718e0745e3dbd5bb7a04230b
kdelibs-apidocs-3.5.4-13.el5.x86_64.rpm
File outdated by:  RHBA-2008:0373		     3f8d019e0ecfcf919d5b3c55757e6101
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
kdelibs-3.3.1-9.el4.src.rpm
File outdated by:  RHBA-2008:0670		     4bf1df171502ccaac9c4b9f4af27c5a4
 
IA-32:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-devel-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     48f2c42b62fe794d35580947197203f6
 
IA-64:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-3.3.1-9.el4.ia64.rpm
File outdated by:  RHBA-2008:0670		     3df7ac0ae7500ccc3ce57d6f34bf475a
kdelibs-devel-3.3.1-9.el4.ia64.rpm
File outdated by:  RHBA-2008:0670		     fe8fe5f994ab48ae8fab363832419204
 
x86_64:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-3.3.1-9.el4.x86_64.rpm
File outdated by:  RHBA-2008:0670		     45ff0822118c370120cffe8f4f438c95
kdelibs-devel-3.3.1-9.el4.x86_64.rpm
File outdated by:  RHBA-2008:0670		     28d4cbc0fa36755077ade9d68253e6d3
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
kdelibs-3.3.1-9.el4.src.rpm
File outdated by:  RHBA-2008:0670		     4bf1df171502ccaac9c4b9f4af27c5a4
 
IA-32:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-devel-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     48f2c42b62fe794d35580947197203f6
 
IA-64:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-3.3.1-9.el4.ia64.rpm
File outdated by:  RHBA-2008:0670		     3df7ac0ae7500ccc3ce57d6f34bf475a
kdelibs-devel-3.3.1-9.el4.ia64.rpm
File outdated by:  RHBA-2008:0670		     fe8fe5f994ab48ae8fab363832419204
 
x86_64:
kdelibs-3.3.1-9.el4.i386.rpm
File outdated by:  RHBA-2008:0670		     d3325980cb2e409fcb69641c9dd50fa6
kdelibs-3.3.1-9.el4.x86_64.rpm
File outdated by:  RHBA-2008:0670		     45ff0822118c370120cffe8f4f438c95
kdelibs-devel-3.3.1-9.el4.x86_64.rpm
File outdated by:  RHBA-2008:0670		     28d4cbc0fa36755077ade9d68253e6d3
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

229606 - CVE-2007-0537 konqueror XSS
233592 - CVE-2007-1564 FTP protocol PASV design flaw affects konqueror
234633 - CVE-2007-0242 QT UTF8 improper character expansion
248537 - CVE-2007-3820 Spoofing of URI possible in Konqueror's address bar
251708 - CVE-2007-4224 URL spoof in address bar
299891 - CVE-2007-1308 kdelibs KDE JavaScript denial of service (crash)


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1564
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/