lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090819123314.72606848174@hannah.localdomain>
Date: Wed, 19 Aug 2009 22:33:14 +1000 (EST)
From: white@...ian.org (Steffen Joeris)
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 1868-1] New kde4libs packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1868-1                  security@...ian.org
http://www.debian.org/security/                      Steffen Joeris
August 19, 2009                       http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : kde4libs                             
Vulnerability  : several vulnerabilities              
Problem type   : local (remote)                       
Debian-specific: no
CVE Ids        : CVE-2009-1690 CVE-2009-1698 CVE-2009-1687
Debian Bugs    : 534949

Several security issues have been discovered in kde4libs, core libraries
for all KDE 4 applications. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2009-1690

It was discovered that there is a use-after-free flaw in handling
certain DOM event handlers. This could lead to the execution of
arbitrary code, when visiting a malicious website.

CVE-2009-1698

It was discovered that there could be an uninitialised pointer when
handling a Cascading Style Sheets (CSS) attr function call. This could
lead to the execution of arbitrary code, when visiting a malicious
website.

CVE-2009-1687

It was discovered that the JavaScript garbage collector does not handle
allocation failures properly, which could lead to the execution of
arbitrary code when visiting a malicious website.


For the stable distribution (lenny), these problems have been fixed in
version 4:4.1.0-3+lenny1.

The oldstable distribution (etch) does not contain kde4libs.

For the testing distribution (squeeze), these problems will be fixed
soon.

For the unstable distribution (sid), these problems have been fixed in
version 4:4.3.0-1.


We recommend that you upgrade your kde4libs packages.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/k/kde4libs/kde4libs_4.1.0-3+lenny1.dsc
    Size/MD5 checksum:     2149 7bc7675c4aa9e7afd4fa3f83b3f95810
  http://security.debian.org/pool/updates/main/k/kde4libs/kde4libs_4.1.0-3+lenny1.diff.gz
    Size/MD5 checksum:    91423 ecc50e9bedff96a3285a031141ea15d6
  http://security.debian.org/pool/updates/main/k/kde4libs/kde4libs_4.1.0.orig.tar.gz
    Size/MD5 checksum: 11264345 05487ff0cbc3da093f19e59184b259c7

Architecture independent packages:

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-data_4.1.0-3+lenny1_all.deb
    Size/MD5 checksum:  3140792 47debc16cde2c9a927252ef09d89c1a3

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_alpha.deb
    Size/MD5 checksum:   485854 b888554c3d2658b0af3abfa842c58588
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_alpha.deb
    Size/MD5 checksum: 67441346 e6d761db09e246d88139e3416de56611
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_alpha.deb
    Size/MD5 checksum:  1468330 b8c3ce39505d2532f2c5d7fc83de01d8
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_alpha.deb
    Size/MD5 checksum: 11132464 6b307db1dd606a5fbbad60745cf51236

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_amd64.deb
    Size/MD5 checksum:   450758 dc184603a57dc4bbcedde957086463c3
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_amd64.deb
    Size/MD5 checksum: 65872658 3bc3de5af3ff3722bd7817b6c4a4c4d4
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_amd64.deb
    Size/MD5 checksum: 10078022 aec949a2390e430248089ebb3790ed78
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_amd64.deb
    Size/MD5 checksum:  1454348 51a11bc442e5155ee37bc276c2cb025e

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_arm.deb
    Size/MD5 checksum:   445060 4c9f86c771e9d24459fc1a1369b19d1c
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_arm.deb
    Size/MD5 checksum: 67062788 8ead631de22e777ac573400dc7829728
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_arm.deb
    Size/MD5 checksum:  1501464 e90a472bd53283512dda2c5522b1e779
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_arm.deb
    Size/MD5 checksum: 10159066 44dc0551f1664e6775cca2fc2e9568c8

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_hppa.deb
    Size/MD5 checksum:   468294 71da7f31e8f21706831abfb597d6c161
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_hppa.deb
    Size/MD5 checksum: 11272148 eae478aac58c1e84cb57c9244bc6e633
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_hppa.deb
    Size/MD5 checksum: 66023980 bc0eeed2957433fdf38f227d464c4dac
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_hppa.deb
    Size/MD5 checksum:  1501146 55ebcb8acd0e29c84dad063f030d4b32

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_i386.deb
    Size/MD5 checksum:  9495028 0486badbc6a675555500eac834e66770
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_i386.deb
    Size/MD5 checksum:  1494680 7caef230087548ae9fafc4c9cbfa51a6
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_i386.deb
    Size/MD5 checksum:   428258 a2154b9e6f111e00d9fafee2e44950d3
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_i386.deb
    Size/MD5 checksum: 65050706 cc57db2601c136b0ea25aa2aafc9ada4

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_ia64.deb
    Size/MD5 checksum:   636012 8835da7f0554073419c9bb1ea699be2f
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_ia64.deb
    Size/MD5 checksum: 69462428 1a34d47746eb45a014c6a18d7711437e
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_ia64.deb
    Size/MD5 checksum:  1490832 1731fe69a65e2aaeecbc7c31ba594ea3
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_ia64.deb
    Size/MD5 checksum: 14283690 92e7eaeeb3288d64aad305c1f7b46ace

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_mips.deb
    Size/MD5 checksum:   411002 fc291f1f164002ffa25f21ab4413d418
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_mips.deb
    Size/MD5 checksum:  1491562 5ad177aedcac523d4414c1b33590a8aa
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_mips.deb
    Size/MD5 checksum: 67214842 6bf4782cae7a4bb07600a8c4622d2ba8
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_mips.deb
    Size/MD5 checksum:  8922858 e2081fa92bc60067bf3fab1d9553d9f0

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_mipsel.deb
    Size/MD5 checksum:  1445728 0e93a06b9c99da3e19fe9ed57effc2af
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_mipsel.deb
    Size/MD5 checksum: 64601046 76bcf6fa57c4c9fe4146996227fd483e
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_mipsel.deb
    Size/MD5 checksum:   410088 c1a038807d9bfd9ec21b3d3fb9b4ad3b
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_mipsel.deb
    Size/MD5 checksum:  8776788 a4e68c739bc64700c8cba42746337051

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_powerpc.deb
    Size/MD5 checksum: 10152880 7c3caef790d31e75030798ff255860f0
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_powerpc.deb
    Size/MD5 checksum:  1504080 2a6f91b2f9d251f7c948db16b26b74e6
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_powerpc.deb
    Size/MD5 checksum:   488426 f82580483fe29a15a635df5b130889f0
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_powerpc.deb
    Size/MD5 checksum: 69005164 b5142561ef43d8f394f69723ecfa101e

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dev_4.1.0-3+lenny1_s390.deb
    Size/MD5 checksum:  1454438 7f6117ffd81b9a759544a84b129451d2
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5-dbg_4.1.0-3+lenny1_s390.deb
    Size/MD5 checksum: 69791606 b67cba5028161769d9227e551ce1e3ce
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs-bin_4.1.0-3+lenny1_s390.deb
    Size/MD5 checksum:   476722 3871456f5fad8399f14f6711bd483635
  http://security.debian.org/pool/updates/main/k/kde4libs/kdelibs5_4.1.0-3+lenny1_s390.deb
    Size/MD5 checksum: 10410196 3a1c94adbe9d2cdf3aab21e684a2ee09


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqL6kUACgkQ62zWxYk/rQc4XQCgv57MtdnS28v+mv32yeqdPJGM
dbkAoMhblXkQ41ECEW7pS9G/A0+cXXNb
=Cy4f
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ