|
 |
| Problem Description |
A vulnerability in dcopserver was discovered by Sebastian Krahmer of
the SUSE security team. A local user can lock up the dcopserver of
other users on the same machine by stalling the DCOP authentication
process, causing a local Denial of Service. dcopserver is the KDE
Desktop Communication Procotol daemon (CAN-2005-0396).
As well, the IDN (International Domain Names) support in Konqueror is
vulnerable to a phishing technique known as a Homograph attack. This
attack is made possible due to IDN allowing a website to use a wide
range of international characters that have a strong resemblance to
other characters. This can be used to trick users into thinking they
are on a different trusted site when they are in fact on a site mocked
up to look legitimate using these other characters, known as
homographs. This can be used to trick users into providing personal
information to a site they think is trusted (CAN-2005-0237).
Finally, it was found that the dcopidlng script was vulnerable to
symlink attacks, potentially allowing a local user to overwrite
arbitrary files of a user when the script is run on behalf of that
user. However, this script is only used as part of the build process
of KDE itself and may also be used by the build processes of third-
party KDE applications (CAN-2005-0365).
The updated packages are patched to deal with these issues and
Mandrakesoft encourages all users to upgrade immediately.
| Updated Packages |
Mandrakelinux 10.0
6c24906717a7a75fb7c0c7b0267bdca6 10.0/RPMS/kdelibs-common-3.2-36.12.100mdk.i586.rpm e0cb970bc7efeb6ba447c6cd92398f4b 10.0/RPMS/libkdecore4-3.2-36.12.100mdk.i586.rpm 046bd58e4261238bb8857d3bdd5e09e7 10.0/RPMS/libkdecore4-devel-3.2-36.12.100mdk.i586.rpm 113483436cc05765978f497ba70c300a 10.0/SRPMS/kdelibs-3.2-36.12.100mdk.src.rpm
Mandrakelinux 10.0/AMD64
23bd80fb1b6e29ac30abf8ca030f02ce amd64/10.0/RPMS/kdelibs-common-3.2-36.12.100mdk.amd64.rpm f0ed5a6cc839264cb1cf3d6a83a4881a amd64/10.0/RPMS/lib64kdecore4-3.2-36.12.100mdk.amd64.rpm a1985658ba14f572ba759482debcef14 amd64/10.0/RPMS/lib64kdecore4-devel-3.2-36.12.100mdk.amd64.rpm 113483436cc05765978f497ba70c300a amd64/10.0/SRPMS/kdelibs-3.2-36.12.100mdk.src.rpm
Mandrakelinux 10.1
ec7b57ea845f6c7ab01c8ee67b14b473 10.1/RPMS/kdelibs-common-3.2.3-104.2.101mdk.i586.rpm 9e900e767495f30a02453974855b0497 10.1/RPMS/libkdecore4-3.2.3-104.2.101mdk.i586.rpm 036ba66a047006933c33bc397d9503ee 10.1/RPMS/libkdecore4-devel-3.2.3-104.2.101mdk.i586.rpm 468a28ffcb57e01535ba35fb633f4ee5 10.1/SRPMS/kdelibs-3.2.3-104.2.101mdk.src.rpm
Mandrakelinux 10.1/X86_64
2f0b1d547f7b8f0234606092b3ea2bd4 x86_64/10.1/RPMS/kdelibs-common-3.2.3-104.2.101mdk.x86_64.rpm 96cc9a12ab7c247f2c7c0c478fd3c772 x86_64/10.1/RPMS/lib64kdecore4-3.2.3-104.2.101mdk.x86_64.rpm cbe167d1624f0a1821de6af47b734771 x86_64/10.1/RPMS/lib64kdecore4-devel-3.2.3-104.2.101mdk.x86_64.rpm 9e900e767495f30a02453974855b0497 x86_64/10.1/RPMS/libkdecore4-3.2.3-104.2.101mdk.i586.rpm 468a28ffcb57e01535ba35fb633f4ee5 x86_64/10.1/SRPMS/kdelibs-3.2.3-104.2.101mdk.src.rpm
Corporate Server 3.0
21a462267a1e459b2fe234338667d3c5 corporate/3.0/RPMS/kdelibs-common-3.2-36.12.C30mdk.i586.rpm 221807f377f57439960bdcdfa4ea4a5c corporate/3.0/RPMS/libkdecore4-3.2-36.12.C30mdk.i586.rpm b6b4538be00036dca0b983aa55061fb8 corporate/3.0/RPMS/libkdecore4-devel-3.2-36.12.C30mdk.i586.rpm f8bb656cb23100dae5da6c7024f89277 corporate/3.0/SRPMS/kdelibs-3.2-36.12.C30mdk.src.rpm
Corporate Server 3.0/X86_64
d42efc7c072d78794750742a0ffa8808 x86_64/corporate/3.0/RPMS/kdelibs-common-3.2-36.12.C30mdk.x86_64.rpm ed57b05ddc173abc8271516abd47e289 x86_64/corporate/3.0/RPMS/lib64kdecore4-3.2-36.12.C30mdk.x86_64.rpm 99bd9de3205bf4e728987b1267382174 x86_64/corporate/3.0/RPMS/lib64kdecore4-devel-3.2-36.12.C30mdk.x86_64.rpm f8bb656cb23100dae5da6c7024f89277 x86_64/corporate/3.0/SRPMS/kdelibs-3.2-36.12.C30mdk.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0396
http://www.kde.org/info/security/advisory-20050316-1.txt
http://www.kde.org/info/security/advisory-20050316-2.txt
http://www.kde.org/info/security/advisory-20050316-3.txt
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.