__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN kdelibs Package Vulnerabilities [Red Hat Security Advisory (RHSA-2004:222-11)] May 19, 2004 22:00 GMT Number O-146 [REVISED 01 Jun 2004] [REVISED 14 Jun 2004] ______________________________________________________________________________ PROBLEM: kdelibs Packages contain vulnerabilities in the telnet URI handler and mailto URI handler. PLATFORM: Red Hat Enterprise Linux AS, ES, WS (v. 2.1) and (v.3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor SGI ProPack 3, SGI ProPack v2.4 Debian GNU/Linux 3.0 (woody) DAMAGE: A flaw in the telnet URI handler may allow options to be passed to the telnet program, resulting in creation or replacement of files. Also, a flaw in the mailto URI handler may allow options to be passed to the kmail program. This could cause kmail to write to the file system or run on a remote X display. SOLUTION: Install the package updates. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker may create a carefully crafted ASSESSMENT: link that when opened by a victim, creates, overwrites, or runs a file with the victim's permissions. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-146.shtml ORIGINAL BULLETIN: Red Hat https://rhn.redhat.com/errata/RHSA-2004-222.html ADDITIONAL LINKS: - SGI Security Advisory 20040509-01-U, for ProPack 3, Patch 10078 ftp://patches.sgi.com/support/free/security/advisories/20040509-01-U.asc - SGI Security Advisory 20040509-01-U, for ProPack v2.4, Patch 10077 ftp://patches.sgi.com/support/free/security/advisories/20040508-01-U.asc Debian Security Advisory DSA-518-1 http://www.debian.org/security/2004/dsa-518 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2004-0411 ______________________________________________________________________________ REVISION HISTORY: 6/1/04 - added links to SGI's Advisories for Patches 10077 and 10078. 06/14/2004 - added a link to Debian Security Advisory DSA-518-1. [***** Start Red Hat Security Advisory (RHSA-2004:222-11) *****] Updated kdelibs packages resolve URI security issues Advisory: RHSA-2004:222-11 Last updated on: 2004-05-17 Affected Products: Red Hat Desktop (v. 3) Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Enterprise Linux WS (v. 3) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CAN-2004-0411 Security Advisory Details: Updated kdelibs packages that fix telnet URI handler and mailto URI handler file vulnerabilities are now available. The kdelibs packages include libraries for the K Desktop Environment. KDE Libraries include: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (javascript), kab (addressbook), kimgio (image manipulation). Konqueror is a file manager and Web browser for the K Desktop Environment (KDE). iDEFENSE identified a vulnerability in the Opera web browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found two similar vulnerabilities that also exist in KDE. A flaw in the telnet URI handler may allow options to be passed to the telnet program, resulting in creation or replacement of files. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file with the victim's permissions. A flaw in the mailto URI handler may allow options to be passed to the kmail program. These options could cause kmail to write to the file system or to run on a remote X display. An attacker could create a carefully crafted link in such a way that access may be obtained to run arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0411 to these issues. Note: Red Hat Enterprise Linux 2.1 is only vulnerable to the mailto URI flaw as a previous update shipped without a telnet.protocol file. All users of KDE are advised to upgrade to these erratum packages, which contain a backported patch for these issues. Updated packages: Red Hat Desktop (v. 3) -------------------------------------------------------------------------------- AMD64: kdelibs-3.1.3-6.4.x86_64.rpm 7561fc225c179a046e7a2fbe85e56123 kdelibs-devel-3.1.3-6.4.x86_64.rpm 2d9da6a96c40c2d0956ed5692860b2ca SRPMS: kdelibs-3.1.3-6.4.src.rpm 5a8bcb4feb3e4fa9a2cc646eb6321c83 i386: kdelibs-3.1.3-6.4.i386.rpm 710fb1f4089e86101e95292564625387 kdelibs-devel-3.1.3-6.4.i386.rpm 5a7c254d028fa2ec3a3e4bf1cc7ee989 Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: kdelibs-2.2.2-11.src.rpm e4f2075b6f80f7dc855d786816634e44 i386: arts-2.2.2-11.i386.rpm 240c6505acec2356220b76477de9cfe9 kdelibs-2.2.2-11.i386.rpm c7d1747dea5001e2de47ed6a278def66 kdelibs-devel-2.2.2-11.i386.rpm f0c464c5cbca39beada246396d90adc8 kdelibs-sound-2.2.2-11.i386.rpm 24767eda2c7bc7c3dedec88ab1cef637 kdelibs-sound-devel-2.2.2-11.i386.rpm 305b3988acb971e46d0cfc76d41efbdf ia64: arts-2.2.2-11.ia64.rpm 45647631fb31fccd8de357dfb7285a69 kdelibs-2.2.2-11.ia64.rpm aadc9d79bddbaac5e8c0adf287b06405 kdelibs-devel-2.2.2-11.ia64.rpm 54546bdd2f2d9849119533ca1bb0cfcf kdelibs-sound-2.2.2-11.ia64.rpm a6a516b72e2666a246c657868b31cdc4 kdelibs-sound-devel-2.2.2-11.ia64.rpm 7e65d97bf1f95241d21a7f2bd853d5ec Red Hat Enterprise Linux AS (v. 3) -------------------------------------------------------------------------------- AMD64: kdelibs-3.1.3-6.4.x86_64.rpm 7561fc225c179a046e7a2fbe85e56123 kdelibs-devel-3.1.3-6.4.x86_64.rpm 2d9da6a96c40c2d0956ed5692860b2ca SRPMS: kdelibs-3.1.3-6.4.src.rpm 5a8bcb4feb3e4fa9a2cc646eb6321c83 i386: kdelibs-3.1.3-6.4.i386.rpm 710fb1f4089e86101e95292564625387 kdelibs-devel-3.1.3-6.4.i386.rpm 5a7c254d028fa2ec3a3e4bf1cc7ee989 ia64: kdelibs-3.1.3-6.4.ia64.rpm 438ef0cd01e512e1822eb819cde5f405 kdelibs-devel-3.1.3-6.4.ia64.rpm 57ba2bdf60aa052d1fb0ca4df4295580 ppc: kdelibs-3.1.3-6.4.ppc.rpm 6b9095e86b9698606d1def4b24c1c7af kdelibs-devel-3.1.3-6.4.ppc.rpm beb3ebde3ba83c40d5991b3d57e0434b s390: kdelibs-3.1.3-6.4.s390.rpm d43e989c92cf19ff5cf5ea84f13937f1 kdelibs-devel-3.1.3-6.4.s390.rpm 38e2c6995f70cecec99e2460d76aeb30 s390x: kdelibs-3.1.3-6.4.s390x.rpm 0abe3254d8fcd1f55bd6dea9bb32b4f1 kdelibs-devel-3.1.3-6.4.s390x.rpm 7d45ff3567e12259f58f1a082d5a4ad4 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: kdelibs-2.2.2-11.src.rpm e4f2075b6f80f7dc855d786816634e44 i386: arts-2.2.2-11.i386.rpm 240c6505acec2356220b76477de9cfe9 kdelibs-2.2.2-11.i386.rpm c7d1747dea5001e2de47ed6a278def66 kdelibs-devel-2.2.2-11.i386.rpm f0c464c5cbca39beada246396d90adc8 kdelibs-sound-2.2.2-11.i386.rpm 24767eda2c7bc7c3dedec88ab1cef637 kdelibs-sound-devel-2.2.2-11.i386.rpm 305b3988acb971e46d0cfc76d41efbdf Red Hat Enterprise Linux ES (v. 3) -------------------------------------------------------------------------------- AMD64: kdelibs-3.1.3-6.4.x86_64.rpm 7561fc225c179a046e7a2fbe85e56123 kdelibs-devel-3.1.3-6.4.x86_64.rpm 2d9da6a96c40c2d0956ed5692860b2ca SRPMS: kdelibs-3.1.3-6.4.src.rpm 5a8bcb4feb3e4fa9a2cc646eb6321c83 i386: kdelibs-3.1.3-6.4.i386.rpm 710fb1f4089e86101e95292564625387 kdelibs-devel-3.1.3-6.4.i386.rpm 5a7c254d028fa2ec3a3e4bf1cc7ee989 ia64: kdelibs-3.1.3-6.4.ia64.rpm 438ef0cd01e512e1822eb819cde5f405 kdelibs-devel-3.1.3-6.4.ia64.rpm 57ba2bdf60aa052d1fb0ca4df4295580 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: kdelibs-2.2.2-11.src.rpm e4f2075b6f80f7dc855d786816634e44 i386: arts-2.2.2-11.i386.rpm 240c6505acec2356220b76477de9cfe9 kdelibs-2.2.2-11.i386.rpm c7d1747dea5001e2de47ed6a278def66 kdelibs-devel-2.2.2-11.i386.rpm f0c464c5cbca39beada246396d90adc8 kdelibs-sound-2.2.2-11.i386.rpm 24767eda2c7bc7c3dedec88ab1cef637 kdelibs-sound-devel-2.2.2-11.i386.rpm 305b3988acb971e46d0cfc76d41efbdf Red Hat Enterprise Linux WS (v. 3) -------------------------------------------------------------------------------- AMD64: kdelibs-3.1.3-6.4.x86_64.rpm 7561fc225c179a046e7a2fbe85e56123 kdelibs-devel-3.1.3-6.4.x86_64.rpm 2d9da6a96c40c2d0956ed5692860b2ca SRPMS: kdelibs-3.1.3-6.4.src.rpm 5a8bcb4feb3e4fa9a2cc646eb6321c83 i386: kdelibs-3.1.3-6.4.i386.rpm 710fb1f4089e86101e95292564625387 kdelibs-devel-3.1.3-6.4.i386.rpm 5a7c254d028fa2ec3a3e4bf1cc7ee989 ia64: kdelibs-3.1.3-6.4.ia64.rpm 438ef0cd01e512e1822eb819cde5f405 kdelibs-devel-3.1.3-6.4.ia64.rpm 57ba2bdf60aa052d1fb0ca4df4295580 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: kdelibs-2.2.2-11.src.rpm e4f2075b6f80f7dc855d786816634e44 ia64: arts-2.2.2-11.ia64.rpm 45647631fb31fccd8de357dfb7285a69 kdelibs-2.2.2-11.ia64.rpm aadc9d79bddbaac5e8c0adf287b06405 kdelibs-devel-2.2.2-11.ia64.rpm 54546bdd2f2d9849119533ca1bb0cfcf kdelibs-sound-2.2.2-11.ia64.rpm a6a516b72e2666a246c657868b31cdc4 kdelibs-sound-devel-2.2.2-11.ia64.rpm 7e65d97bf1f95241d21a7f2bd853d5ec (The unlinked packages above are only available from the Red Hat Network) Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt Bugs fixed: (see bugzilla for more information) 123232 - CAN-2004-0411 URI filtering vulnerability References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411 http://www.kde.org/info/security/advisory-20040517-1.txt [***** End Red Hat Security Advisory (RHSA-2004:222-11) *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-136: HP Web JetAdmin Vulnerabilities O-137: SGI IRIX Networking Security Vulnerabilities O-138: Mac OS X Jaguar and Panther Security Vulnerabilities O-139: Apple Mac OS X AppleFileServer Authentication Vulnerability O-140: Microsoft HCP Protocol URL Validation Vulnerability O-141: Symantec Client Firewall Remote Access Vulnerabilities O-142: Hewlett Packaged HP-UX dtlogin Vulnerability O-143: Gnome Toolkit (GTK+) Support Libraries Vulnerability O-144: Sun ypserv and ypxfrd Vulnerabilities O-145: Red Hat Updated Kernel Packages for Enterprise Linux 3