[10880] in bugtraq
[RHSA-1999:015-01] KDE update for Red Hat Linux 6.0 (fwd)
daemon@ATHENA.MIT.EDU (Raymond Dijkxhoorn)
Tue Jun 22 23:54:43 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9906222232030.20642-100000@twix.thrijswijk.nl>
Date: Tue, 22 Jun 1999 22:32:23 +0200
Reply-To: Raymond Dijkxhoorn <raymond@THRIJSWIJK.NL>
From: Raymond Dijkxhoorn <raymond@THRIJSWIJK.NL>
To: BUGTRAQ@NETSPACE.ORG
From: Preston Brown <pbrown@redhat.com>
-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: KDE update for Red Hat Linux 6.0
Advisory ID: RHSA-1999:015-01
Issue date: 1999-06-21
Keywords: kde kdm kvt kmail 1.1.1
- ---------------------------------------------------------------------
1. Topic:
New KDE RPMs are available for Red Hat Linux 6.0. These RPMs upgrade
the 1.1.1pre2 release to 1.1.1 final + fixes. Several security holes
have been closed, and other bugs noted in the original RPMs have been
corrected.
2. BugIDs fixed:
2877 3433
3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Intel: ftp://updates.redhat.com/6.0/i386/
kdeadmin-1.1.1-1.i386.rpm
kdebase-1.1.1-1.i386.rpm
kdegames-1.1.1-1.i386.rpm
kdegraphics-1.1.1-1.i386.rpm
kdelibs-1.1.1-1.i386.rpm
kdemultimedia-1.1.1-1.i386.rpm
kdenetwork-1.1.1-1.i386.rpm
kdesupport-1.1.1-1.i386.rpm
kdetoys-1.1.1-1.i386.rpm
kdeutils-1.1.1-1.i386.rpm
korganizer-1.1.1.i386.rpm
kpilot-3.1b9-1.i386.rpm
Alpha: ftp://updates.redhat.com/6.0/alpha/
kdeadmin-1.1.1-1.alpha.rpm
kdebase-1.1.1-1.alpha.rpm
kdegames-1.1.1-1.alpha.rpm
kdegraphics-1.1.1-1.alpha.rpm
kdelibs-1.1.1-1.alpha.rpm
kdemultimedia-1.1.1-1.alpha.rpm
kdenetwork-1.1.1-1.alpha.rpm
kdesupport-1.1.1-1.alpha.rpm
kdetoys-1.1.1-1.alpha.rpm
kdeutils-1.1.1-1.alpha.rpm
korganizer-1.1.1.alpha.rpm
kpilot-3.1b9-1.alpha.rpm
Sparc: ftp://updates.redhat.com/6.0/sparc
kdeadmin-1.1.1-1.sparc.rpm
kdebase-1.1.1-1.sparc.rpm
kdegames-1.1.1-1.sparc.rpm
kdegraphics-1.1.1-1.sparc.rpm
kdelibs-1.1.1-1.sparc.rpm
kdemultimedia-1.1.1-1.sparc.rpm
kdenetwork-1.1.1-1.sparc.rpm
kdesupport-1.1.1-1.sparc.rpm
kdetoys-1.1.1-1.sparc.rpm
kdeutils-1.1.1-1.sparc.rpm
korganizer-1.1.1.sparc.rpm
kpilot-3.1b9-1.sparc.rpm
7. Problem description:
Red Hat Linux 6.0 shipped with KDE 1.1.1pre2, the latest release
available at the time we went into production. There were a number of
configuration and security bugs in the original packages.
kmail, the kde mail reader, had a bug related to decoding mime
attachments in an unsafe manner. Attachments were written using an
easily predictable filename to a temporary directory. This could
could then be be exploited to overwrite arbitrary files owned by the
person using kmail via a symlink attack.
8. Solution:
Upgrade to KDE 1.1.1 final, which fixes a number of bugs present in
the previous release and contains additional patches to correct
security holes in kmail and kvt.
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
9. Verification:
These packages are PGP signed by Red Hat Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp <filename>
10. References:
http://www.geek-girl.com/bugtraq/1999_2/0685.html
This URL describes the kmail security hole.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBN2+dVtLHqShaOYAxAQF6XAQAqNuA491aBD2rL9ubjMd1iKZCA9wSUzNm
BRZ5akb7ZZZQQStIkTAxyODnNlVlnfO0TYHJ+AwAVo76oM5Kdzq1R51BP+PTxev3
C+Unppug5NkUMB+DOt4Cr/jB+u5VvSIBK/s33/SjdUUWupHIesOf6mi7F27f/Lix
yApeMatgLcE=
=lU2O
-----END PGP SIGNATURE-----
---
Preston Brown
Red Hat, Inc.
pbrown@redhat.com
PGP public key: http://www.redhat.com/~pbrown/pbrown-pgp-pubkey.txt
--
To unsubscribe: mail redhat-watch-list-request@redhat.com with
"unsubscribe" as the Subject.
--
To unsubscribe:
mail -s unsubscribe redhat-announce-list-request@redhat.com < /dev/null
