Security Advisory Critical: kdelibs security update

Advisory: RHSA-2009:1127-1
Type: Security Advisory
Severity: Critical
Issued on: 2009-06-25
Last updated on: 2009-06-25
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.8.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.8.z)
Red Hat Enterprise Linux EUS (v. 5.3.z server)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20091127.xml
CVEs (cve.mitre.org): CVE-2009-1687
CVE-2009-1690
CVE-2009-1698

Details

Updated kdelibs packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

The kdelibs packages provide libraries for the K Desktop Environment (KDE).

A flaw was found in the way the KDE CSS parser handled content for the
CSS "style" attribute. A remote attacker could create a specially-crafted
CSS equipped HTML page, which once visited by an unsuspecting user, could
cause a denial of service (Konqueror crash) or, potentially, execute
arbitrary code with the privileges of the user running Konqueror.
(CVE-2009-1698)

A flaw was found in the way the KDE HTML parser handled content for the
HTML "head" element. A remote attacker could create a specially-crafted
HTML page, which once visited by an unsuspecting user, could cause a denial
of service (Konqueror crash) or, potentially, execute arbitrary code with
the privileges of the user running Konqueror. (CVE-2009-1690)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the KDE JavaScript garbage collector handled memory
allocation requests. A remote attacker could create a specially-crafted
HTML page, which once visited by an unsuspecting user, could cause a denial
of service (Konqueror crash) or, potentially, execute arbitrary code with
the privileges of the user running Konqueror. (CVE-2009-1687)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The desktop must be restarted (log out,
then log back in) for this update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)
SRPMS:
kdelibs-3.5.4-22.el5_3.src.rpm
File outdated by:  RHBA-2009:1464		     3ebcde02b6c7e3a4de54dab8bc6e76ef
 
IA-32:
kdelibs-devel-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     537f2322bb95d5fa12aa177fd5f309b9
 
x86_64:
kdelibs-devel-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     537f2322bb95d5fa12aa177fd5f309b9
kdelibs-devel-3.5.4-22.el5_3.x86_64.rpm
File outdated by:  RHBA-2009:1464		     d62ba6606b72a4695ed23a5ef368836c
 
Red Hat Desktop (v. 4)
SRPMS:
kdelibs-3.3.1-14.el4.src.rpm     66175b2a671dc2c0dcb8afe21b9a68e5
 
IA-32:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-devel-3.3.1-14.el4.i386.rpm     7c54c15cd71143b1524c35b9e861acbb
 
x86_64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.x86_64.rpm     6256f39d355df1a417dde5c3c5b71c6a
kdelibs-devel-3.3.1-14.el4.x86_64.rpm     e1e344e997703fc5ebc56c5c29cd1e2c
 
Red Hat Enterprise Linux (v. 5 server)
SRPMS:
kdelibs-3.5.4-22.el5_3.src.rpm
File outdated by:  RHBA-2009:1464		     3ebcde02b6c7e3a4de54dab8bc6e76ef
 
IA-32:
kdelibs-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     2c4de5c72c436126f347644fa7718b5d
kdelibs-apidocs-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     3b585c7b8af328f3a2fd54b8e0a95d03
kdelibs-devel-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     537f2322bb95d5fa12aa177fd5f309b9
 
IA-64:
kdelibs-3.5.4-22.el5_3.ia64.rpm
File outdated by:  RHBA-2009:1464		     0015fed68bd69368cbb9d81870f3734d
kdelibs-apidocs-3.5.4-22.el5_3.ia64.rpm
File outdated by:  RHBA-2009:1464		     cbf8a48f4e025ee10e59befab7528252
kdelibs-devel-3.5.4-22.el5_3.ia64.rpm
File outdated by:  RHBA-2009:1464		     ad3279d82fef0dfd1ad8a73e5125204d
 
PPC:
kdelibs-3.5.4-22.el5_3.ppc.rpm
File outdated by:  RHBA-2009:1464		     94ed25ce71d9e1a899e8f5af46e2f68a
kdelibs-3.5.4-22.el5_3.ppc64.rpm
File outdated by:  RHBA-2009:1464		     188d38c50b9842214cc6ac00d9c4aea2
kdelibs-apidocs-3.5.4-22.el5_3.ppc.rpm
File outdated by:  RHBA-2009:1464		     66d7aafa73c2e2faa521744b7c9dcffc
kdelibs-devel-3.5.4-22.el5_3.ppc.rpm
File outdated by:  RHBA-2009:1464		     a2d1083af4b9826e974f087dc3d8fa01
kdelibs-devel-3.5.4-22.el5_3.ppc64.rpm
File outdated by:  RHBA-2009:1464		     149b52b34d5cd160573e666b5a3b91cd
 
s390x:
kdelibs-3.5.4-22.el5_3.s390.rpm
File outdated by:  RHBA-2009:1464		     64819a3039869a1bcae4f591dbdd5106
kdelibs-3.5.4-22.el5_3.s390x.rpm
File outdated by:  RHBA-2009:1464		     317840572304e20631a779e34745eb53
kdelibs-apidocs-3.5.4-22.el5_3.s390x.rpm
File outdated by:  RHBA-2009:1464		     a75bd7b7db45f4e1b509964cf7ce65b5
kdelibs-devel-3.5.4-22.el5_3.s390.rpm
File outdated by:  RHBA-2009:1464		     81f1998ec68384a8d89216812ab36324
kdelibs-devel-3.5.4-22.el5_3.s390x.rpm
File outdated by:  RHBA-2009:1464		     19516261db0636c0d358ba0f7b9dc2d4
 
x86_64:
kdelibs-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     2c4de5c72c436126f347644fa7718b5d
kdelibs-3.5.4-22.el5_3.x86_64.rpm
File outdated by:  RHBA-2009:1464		     dc7931e1d724efd17ad767aaeb22952c
kdelibs-apidocs-3.5.4-22.el5_3.x86_64.rpm
File outdated by:  RHBA-2009:1464		     193707abc675148d56152766a2dfd84d
kdelibs-devel-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     537f2322bb95d5fa12aa177fd5f309b9
kdelibs-devel-3.5.4-22.el5_3.x86_64.rpm
File outdated by:  RHBA-2009:1464		     d62ba6606b72a4695ed23a5ef368836c
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
kdelibs-3.3.1-14.el4.src.rpm     66175b2a671dc2c0dcb8afe21b9a68e5
 
IA-32:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-devel-3.3.1-14.el4.i386.rpm     7c54c15cd71143b1524c35b9e861acbb
 
IA-64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.ia64.rpm     17083c96b82b3bdbf557276a1e3ea21a
kdelibs-devel-3.3.1-14.el4.ia64.rpm     27c814f5264a355e4b4bdc9a41838081
 
PPC:
kdelibs-3.3.1-14.el4.ppc.rpm     78c783f0b76e8f4325496692aae81be3
kdelibs-3.3.1-14.el4.ppc64.rpm     068738f0ac9d4e6b903daf81963b20a3
kdelibs-devel-3.3.1-14.el4.ppc.rpm     cfe57bd09486dbb928e3a670116c7682
 
s390:
kdelibs-3.3.1-14.el4.s390.rpm     eb06c14cabfacd9496fee66279213d52
kdelibs-devel-3.3.1-14.el4.s390.rpm     882cf1595cf7c504e7e68c771988a6bf
 
s390x:
kdelibs-3.3.1-14.el4.s390.rpm     eb06c14cabfacd9496fee66279213d52
kdelibs-3.3.1-14.el4.s390x.rpm     1ae1e23baee26405c8dda577c24d0806
kdelibs-devel-3.3.1-14.el4.s390x.rpm     58216d493a93a3194e3b8189677fa9f9
 
x86_64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.x86_64.rpm     6256f39d355df1a417dde5c3c5b71c6a
kdelibs-devel-3.3.1-14.el4.x86_64.rpm     e1e344e997703fc5ebc56c5c29cd1e2c
 
Red Hat Enterprise Linux AS (v. 4.8.z)
SRPMS:
kdelibs-3.3.1-14.el4.src.rpm     66175b2a671dc2c0dcb8afe21b9a68e5
 
IA-32:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-devel-3.3.1-14.el4.i386.rpm     7c54c15cd71143b1524c35b9e861acbb
 
IA-64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.ia64.rpm     17083c96b82b3bdbf557276a1e3ea21a
kdelibs-devel-3.3.1-14.el4.ia64.rpm     27c814f5264a355e4b4bdc9a41838081
 
PPC:
kdelibs-3.3.1-14.el4.ppc.rpm     78c783f0b76e8f4325496692aae81be3
kdelibs-3.3.1-14.el4.ppc64.rpm     068738f0ac9d4e6b903daf81963b20a3
kdelibs-devel-3.3.1-14.el4.ppc.rpm     cfe57bd09486dbb928e3a670116c7682
 
s390:
kdelibs-3.3.1-14.el4.s390.rpm     eb06c14cabfacd9496fee66279213d52
kdelibs-devel-3.3.1-14.el4.s390.rpm     882cf1595cf7c504e7e68c771988a6bf
 
s390x:
kdelibs-3.3.1-14.el4.s390.rpm     eb06c14cabfacd9496fee66279213d52
kdelibs-3.3.1-14.el4.s390x.rpm     1ae1e23baee26405c8dda577c24d0806
kdelibs-devel-3.3.1-14.el4.s390x.rpm     58216d493a93a3194e3b8189677fa9f9
 
x86_64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.x86_64.rpm     6256f39d355df1a417dde5c3c5b71c6a
kdelibs-devel-3.3.1-14.el4.x86_64.rpm     e1e344e997703fc5ebc56c5c29cd1e2c
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
kdelibs-3.5.4-22.el5_3.src.rpm
File outdated by:  RHBA-2009:1464		     3ebcde02b6c7e3a4de54dab8bc6e76ef
 
IA-32:
kdelibs-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     2c4de5c72c436126f347644fa7718b5d
kdelibs-apidocs-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     3b585c7b8af328f3a2fd54b8e0a95d03
 
x86_64:
kdelibs-3.5.4-22.el5_3.i386.rpm
File outdated by:  RHBA-2009:1464		     2c4de5c72c436126f347644fa7718b5d
kdelibs-3.5.4-22.el5_3.x86_64.rpm
File outdated by:  RHBA-2009:1464		     dc7931e1d724efd17ad767aaeb22952c
kdelibs-apidocs-3.5.4-22.el5_3.x86_64.rpm
File outdated by:  RHBA-2009:1464		     193707abc675148d56152766a2dfd84d
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
kdelibs-3.3.1-14.el4.src.rpm     66175b2a671dc2c0dcb8afe21b9a68e5
 
IA-32:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-devel-3.3.1-14.el4.i386.rpm     7c54c15cd71143b1524c35b9e861acbb
 
IA-64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.ia64.rpm     17083c96b82b3bdbf557276a1e3ea21a
kdelibs-devel-3.3.1-14.el4.ia64.rpm     27c814f5264a355e4b4bdc9a41838081
 
x86_64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.x86_64.rpm     6256f39d355df1a417dde5c3c5b71c6a
kdelibs-devel-3.3.1-14.el4.x86_64.rpm     e1e344e997703fc5ebc56c5c29cd1e2c
 
Red Hat Enterprise Linux ES (v. 4.8.z)
SRPMS:
kdelibs-3.3.1-14.el4.src.rpm     66175b2a671dc2c0dcb8afe21b9a68e5
 
IA-32:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-devel-3.3.1-14.el4.i386.rpm     7c54c15cd71143b1524c35b9e861acbb
 
IA-64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.ia64.rpm     17083c96b82b3bdbf557276a1e3ea21a
kdelibs-devel-3.3.1-14.el4.ia64.rpm     27c814f5264a355e4b4bdc9a41838081
 
x86_64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.x86_64.rpm     6256f39d355df1a417dde5c3c5b71c6a
kdelibs-devel-3.3.1-14.el4.x86_64.rpm     e1e344e997703fc5ebc56c5c29cd1e2c
 
Red Hat Enterprise Linux EUS (v. 5.3.z server)
SRPMS:
kdelibs-3.5.4-22.el5_3.src.rpm
File outdated by:  RHBA-2009:1464		     3ebcde02b6c7e3a4de54dab8bc6e76ef
 
IA-32:
kdelibs-3.5.4-22.el5_3.i386.rpm     2c4de5c72c436126f347644fa7718b5d
kdelibs-apidocs-3.5.4-22.el5_3.i386.rpm     3b585c7b8af328f3a2fd54b8e0a95d03
kdelibs-devel-3.5.4-22.el5_3.i386.rpm     537f2322bb95d5fa12aa177fd5f309b9
 
IA-64:
kdelibs-3.5.4-22.el5_3.ia64.rpm     0015fed68bd69368cbb9d81870f3734d
kdelibs-apidocs-3.5.4-22.el5_3.ia64.rpm     cbf8a48f4e025ee10e59befab7528252
kdelibs-devel-3.5.4-22.el5_3.ia64.rpm     ad3279d82fef0dfd1ad8a73e5125204d
 
PPC:
kdelibs-3.5.4-22.el5_3.ppc.rpm     94ed25ce71d9e1a899e8f5af46e2f68a
kdelibs-3.5.4-22.el5_3.ppc64.rpm     188d38c50b9842214cc6ac00d9c4aea2
kdelibs-apidocs-3.5.4-22.el5_3.ppc.rpm     66d7aafa73c2e2faa521744b7c9dcffc
kdelibs-devel-3.5.4-22.el5_3.ppc.rpm     a2d1083af4b9826e974f087dc3d8fa01
kdelibs-devel-3.5.4-22.el5_3.ppc64.rpm     149b52b34d5cd160573e666b5a3b91cd
 
s390x:
kdelibs-3.5.4-22.el5_3.s390.rpm     64819a3039869a1bcae4f591dbdd5106
kdelibs-3.5.4-22.el5_3.s390x.rpm     317840572304e20631a779e34745eb53
kdelibs-apidocs-3.5.4-22.el5_3.s390x.rpm     a75bd7b7db45f4e1b509964cf7ce65b5
kdelibs-devel-3.5.4-22.el5_3.s390.rpm     81f1998ec68384a8d89216812ab36324
kdelibs-devel-3.5.4-22.el5_3.s390x.rpm     19516261db0636c0d358ba0f7b9dc2d4
 
x86_64:
kdelibs-3.5.4-22.el5_3.i386.rpm     2c4de5c72c436126f347644fa7718b5d
kdelibs-3.5.4-22.el5_3.x86_64.rpm     dc7931e1d724efd17ad767aaeb22952c
kdelibs-apidocs-3.5.4-22.el5_3.x86_64.rpm     193707abc675148d56152766a2dfd84d
kdelibs-devel-3.5.4-22.el5_3.i386.rpm     537f2322bb95d5fa12aa177fd5f309b9
kdelibs-devel-3.5.4-22.el5_3.x86_64.rpm     d62ba6606b72a4695ed23a5ef368836c
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
kdelibs-3.3.1-14.el4.src.rpm     66175b2a671dc2c0dcb8afe21b9a68e5
 
IA-32:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-devel-3.3.1-14.el4.i386.rpm     7c54c15cd71143b1524c35b9e861acbb
 
IA-64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.ia64.rpm     17083c96b82b3bdbf557276a1e3ea21a
kdelibs-devel-3.3.1-14.el4.ia64.rpm     27c814f5264a355e4b4bdc9a41838081
 
x86_64:
kdelibs-3.3.1-14.el4.i386.rpm     da47eaea78ab4a4fe0012abe2e37b941
kdelibs-3.3.1-14.el4.x86_64.rpm     6256f39d355df1a417dde5c3c5b71c6a
kdelibs-devel-3.3.1-14.el4.x86_64.rpm     e1e344e997703fc5ebc56c5c29cd1e2c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

505571 - CVE-2009-1690 kdelibs: KHTML Incorrect handling <head> element content once the <head> element was removed (DoS, ACE)
506453 - CVE-2009-1687 kdelibs: Integer overflow in KJS JavaScript garbage collector
506469 - CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE)


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1690
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1698
http://www.redhat.com/security/updates/classification/#critical

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/