===================================================================== CERT-Renater Note d'Information No. 2004/VULN550 _____________________________________________________________________ DATE : 20/12/2004 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running KDE. ====================================================================== _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: kdelibs Advisory ID: MDKSA-2004:150 Date: December 15th, 2004 Affected versions: 10.0, 10.1 ______________________________________________________________________ Problem Description: Daniel Fabian discovered a potential privacy issue in KDE. When creating a link to a remote file from various applications, including Konqueror, the resulting URL may contain the authentication credentials used to access that remote resource. This includes, but is not limited to, browsing SMB (Samba) shares. Upon further investigation, it was found that the SMB protocol handler also unnecessarily exposed authentication credentials (CAN-2004-1171). Another vulnerability was discovered where a malicious website could abuse Konqueror to load its own content into a window or tab that was opened by a trusted website, or it could trick a trusted website into loading content into an existing window or tab. This could lead to the user being confused as to the origin of a particular webpage and could have the user unknowingly send confidential information intended for a trusted site to the malicious site (CAN-2004-1158). The updated packages contain a patch from the KDE team to solve this issue. Additionally, the kdelibs and kdebase packages for Mandrakelinux 10.1 contain numerous bugfixes. New qt3 packages are being provided for Mandrakelinux 10.0 that are required to build the kdebase package. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1171 http://www.kde.org/info/security/advisory-20041209-1.txt http://www.kde.org/info/security/advisory-20040811-3.txt ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 94a0e81fbb14ca886d4afad27cd3ffc2 10.0/RPMS/kdebase-3.2-79.14.100mdk.i586.rpm 2410d49502511bd9d59b710a554336ae 10.0/RPMS/kdebase-common-3.2-79.14.100mdk.i586.rpm fe8563a412945d38834d559e3fd9740c 10.0/RPMS/kdebase-kate-3.2-79.14.100mdk.i586.rpm f24e7a870b6242a30fa6643b27b4bb80 10.0/RPMS/kdebase-kcontrol-data-3.2-79.14.100mdk.i586.rpm 762b15796f14dcf038d12bc5bac2f985 10.0/RPMS/kdebase-kdeprintfax-3.2-79.14.100mdk.i586.rpm 9b80d9d8f01d361ee4083d17af6c2c62 10.0/RPMS/kdebase-kdm-3.2-79.14.100mdk.i586.rpm c658f9f35d284cdd9ac017fcac4d3e78 10.0/RPMS/kdebase-kdm-config-file-3.2-79.14.100mdk.i586.rpm 4ea434e4741b0739cfbefeaacaadc7ed 10.0/RPMS/kdebase-kmenuedit-3.2-79.14.100mdk.i586.rpm 8861ff2f626f99f56457e2f318681028 10.0/RPMS/kdebase-konsole-3.2-79.14.100mdk.i586.rpm a4aea066db45b34d831b3b50b69f311d 10.0/RPMS/kdebase-nsplugins-3.2-79.14.100mdk.i586.rpm 9f612b20878759f25896b0bfa235c9fe 10.0/RPMS/kdebase-progs-3.2-79.14.100mdk.i586.rpm fe6f1816f1d4920f9ff908d219233cb8 10.0/RPMS/kdelibs-common-3.2-36.6.100mdk.i586.rpm 16d29356633ea06254eb2c82a3119da2 10.0/RPMS/libkdebase4-3.2-79.14.100mdk.i586.rpm 449890eb4a344ad68d4d847c33bf7fd4 10.0/RPMS/libkdebase4-devel-3.2-79.14.100mdk.i586.rpm 647177fdad6dd4e86682c8d8a9ca4a87 10.0/RPMS/libkdebase4-kate-3.2-79.14.100mdk.i586.rpm f5de705057c05d5753e93241e9ec6904 10.0/RPMS/libkdebase4-kate-devel-3.2-79.14.100mdk.i586.rpm 0d1133d72d4e653494c626bbc5bb75c6 10.0/RPMS/libkdebase4-kmenuedit-3.2-79.14.100mdk.i586.rpm 8a0b9e380ac4dd2fbb56bd52ed40675c 10.0/RPMS/libkdebase4-konsole-3.2-79.14.100mdk.i586.rpm 00cf6d1d3bf70a5df1843679266ba2a5 10.0/RPMS/libkdebase4-nsplugins-3.2-79.14.100mdk.i586.rpm e72a5df9c563785e615c76af047e6cfc 10.0/RPMS/libkdebase4-nsplugins-devel-3.2-79.14.100mdk.i586.rpm 0c80ae011de43476cd524c9d76f11d5c 10.0/RPMS/libkdecore4-3.2-36.6.100mdk.i586.rpm 119a53eabfb36409650a36713b0c2a80 10.0/RPMS/libkdecore4-devel-3.2-36.6.100mdk.i586.rpm 89e8a634c4600829b0885e9cb13711cc 10.0/RPMS/mandrakelinux-kde-config-file-10.1-6.1.100mdk.noarch.rpm de5514210d372dfd101d89674f8a7d1d 10.0/RPMS/libqt3-3.2.3-19.5.100mdk.i586.rpm d07574af8ca4c3e1c6edd8029c5bb2f0 10.0/RPMS/libqt3-devel-3.2.3-19.5.100mdk.i586.rpm 467533523851db3b3c3d1b65058e6f96 10.0/RPMS/libqt3-mysql-3.2.3-19.5.100mdk.i586.rpm 4931ecf689833bbacad8ab6e0ad14b58 10.0/RPMS/libqt3-odbc-3.2.3-19.5.100mdk.i586.rpm c904ea9b413ee5741b449c6682b54095 10.0/RPMS/libqt3-psql-3.2.3-19.5.100mdk.i586.rpm dee4dcde20538670d900a3b64bfbab25 10.0/RPMS/qt3-common-3.2.3-19.5.100mdk.i586.rpm 7b27ce87ee4549eca463b3568b61eb55 10.0/RPMS/qt3-example-3.2.3-19.5.100mdk.i586.rpm a63c8733f6bfe8922130d582b4a1a01d 10.0/SRPMS/kdebase-3.2-79.14.100mdk.src.rpm 8591c71e52ec11f9b59f9f3a3a90a659 10.0/SRPMS/kdelibs-3.2-36.6.100mdk.src.rpm 76ef62153b1c2ced48059b9b9ab7cbcf 10.0/SRPMS/mandrakelinux-kde-config-file-10.1-6.1.100mdk.src.rpm a358c42ab7b7e0cfc0a8bc7c767fb205 10.0/SRPMS/qt3-3.2.3-19.5.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 2f567e1716906db7c569cde1eba47aa1 amd64/10.0/RPMS/kdebase-3.2-79.14.100mdk.amd64.rpm c3d10f810cd9b6fae43e80f0af12d2b0 amd64/10.0/RPMS/kdebase-common-3.2-79.14.100mdk.amd64.rpm 72303667774e30a65b209290f38ba48f amd64/10.0/RPMS/kdebase-kate-3.2-79.14.100mdk.amd64.rpm e785979edd5aac8ff0739613cb1ce7cd amd64/10.0/RPMS/kdebase-kcontrol-data-3.2-79.14.100mdk.amd64.rpm c7ebb9a911149f0dafd7dea7c426fcc1 amd64/10.0/RPMS/kdebase-kdeprintfax-3.2-79.14.100mdk.amd64.rpm 83170f585da8d5c4d1e7aba2ff75f920 amd64/10.0/RPMS/kdebase-kdm-3.2-79.14.100mdk.amd64.rpm cad3b76743280cab55b0b0c76018e9cb amd64/10.0/RPMS/kdebase-kdm-config-file-3.2-79.14.100mdk.amd64.rpm c421d3e4197387ee00cfce4fdf39d0af amd64/10.0/RPMS/kdebase-kmenuedit-3.2-79.14.100mdk.amd64.rpm 3f1180977f183764fde50678ac68f4b3 amd64/10.0/RPMS/kdebase-konsole-3.2-79.14.100mdk.amd64.rpm 54aa322565804415149b49a1e06f8369 amd64/10.0/RPMS/kdebase-nsplugins-3.2-79.14.100mdk.amd64.rpm 7c3003d1b4bfb205b04064e6292a644a amd64/10.0/RPMS/kdebase-progs-3.2-79.14.100mdk.amd64.rpm 35773104bc37d0a8f57241def3ef7365 amd64/10.0/RPMS/kdelibs-common-3.2-36.6.100mdk.amd64.rpm 20ff43cf7be89fee35309c160dd01504 amd64/10.0/RPMS/lib64kdebase4-3.2-79.14.100mdk.amd64.rpm c5fb10ab086d5ea538273fa0dba5abf9 amd64/10.0/RPMS/lib64kdebase4-devel-3.2-79.14.100mdk.amd64.rpm 9b452ff7994d1bdd2913c429bbda0c5d amd64/10.0/RPMS/lib64kdebase4-kate-3.2-79.14.100mdk.amd64.rpm cbc8223d5e61b9b3901b040952089423 amd64/10.0/RPMS/lib64kdebase4-kate-devel-3.2-79.14.100mdk.amd64.rpm 4195e65ee3dd79092bcfa48cc67cd3fc amd64/10.0/RPMS/lib64kdebase4-kmenuedit-3.2-79.14.100mdk.amd64.rpm 2d728ef56e44891988c4040ae2087974 amd64/10.0/RPMS/lib64kdebase4-konsole-3.2-79.14.100mdk.amd64.rpm e596b7017cb6fb62e8a566b6642d5ca5 amd64/10.0/RPMS/lib64kdebase4-nsplugins-3.2-79.14.100mdk.amd64.rpm 6d60572cf9b5d61797f05ea4873436e6 amd64/10.0/RPMS/lib64kdebase4-nsplugins-devel-3.2-79.14.100mdk.amd64.rpm cd835d51e1cde96a51b2938482b1f1b1 amd64/10.0/RPMS/lib64kdecore4-3.2-36.6.100mdk.amd64.rpm eb69a560b437d59d3aeccf379404c84a amd64/10.0/RPMS/lib64kdecore4-devel-3.2-36.6.100mdk.amd64.rpm 01926d6f0316e175556a85342cdcd24a amd64/10.0/RPMS/mandrakelinux-kde-config-file-10.1-6.1.100mdk.noarch.rpm fa4161af983398599856f40517319524 amd64/10.0/RPMS/lib64qt3-3.2.3-19.5.100mdk.amd64.rpm 12d3321a029b9b1ce93887fdfa0ed71f amd64/10.0/RPMS/lib64qt3-devel-3.2.3-19.5.100mdk.amd64.rpm 42c81b5260658c2ad7242a7228e72443 amd64/10.0/RPMS/lib64qt3-mysql-3.2.3-19.5.100mdk.amd64.rpm 8da09a60b93fd0e75f1cb56582814097 amd64/10.0/RPMS/lib64qt3-odbc-3.2.3-19.5.100mdk.amd64.rpm 5a6ba60559a5dc033a08c1b724feaa77 amd64/10.0/RPMS/lib64qt3-psql-3.2.3-19.5.100mdk.amd64.rpm 2966c10cea3af06fb2166ace1a91b48d amd64/10.0/RPMS/qt3-common-3.2.3-19.5.100mdk.amd64.rpm b0df33b39f92578cc91f5db08ce87a16 amd64/10.0/RPMS/qt3-example-3.2.3-19.5.100mdk.amd64.rpm a63c8733f6bfe8922130d582b4a1a01d amd64/10.0/SRPMS/kdebase-3.2-79.14.100mdk.src.rpm 8591c71e52ec11f9b59f9f3a3a90a659 amd64/10.0/SRPMS/kdelibs-3.2-36.6.100mdk.src.rpm 76ef62153b1c2ced48059b9b9ab7cbcf amd64/10.0/SRPMS/mandrakelinux-kde-config-file-10.1-6.1.100mdk.src.rpm a358c42ab7b7e0cfc0a8bc7c767fb205 amd64/10.0/SRPMS/qt3-3.2.3-19.5.100mdk.src.rpm Mandrakelinux 10.1: 972fe138454f3903efc5cc529f6ead39 10.1/RPMS/kdebase-3.2.3-134.3.101mdk.i586.rpm df6ae088056df3785b583168756e8ef8 10.1/RPMS/kdebase-common-3.2.3-134.3.101mdk.i586.rpm bffe36fa78bb002b54be6b514471ff06 10.1/RPMS/kdebase-kate-3.2.3-134.3.101mdk.i586.rpm 8e331c540ec5d8994ffc7f3ba0f0170b 10.1/RPMS/kdebase-kcontrol-data-3.2.3-134.3.101mdk.i586.rpm 2c112b568a2f1100898ed93c13076c59 10.1/RPMS/kdebase-kcontrol-nsplugins-3.2.3-134.3.101mdk.i586.rpm a8135cfd8a6151b1fe65a11547d98ef8 10.1/RPMS/kdebase-kdeprintfax-3.2.3-134.3.101mdk.i586.rpm f3cffcf7a3827bd7123eaf9d194dfd50 10.1/RPMS/kdebase-kdm-3.2.3-134.3.101mdk.i586.rpm 86c7959746eac1ff886e787e96cd8905 10.1/RPMS/kdebase-kdm-config-file-3.2.3-134.3.101mdk.i586.rpm a611577b74c8458066c0d35ee7fe6f78 10.1/RPMS/kdebase-kmenuedit-3.2.3-134.3.101mdk.i586.rpm a0395205f5b3ab41762b05672e3b97cc 10.1/RPMS/kdebase-konsole-3.2.3-134.3.101mdk.i586.rpm 6d60ce25edb4f0cbf47a200598febbff 10.1/RPMS/kdebase-nsplugins-3.2.3-134.3.101mdk.i586.rpm 68dcbade83c1855090b0620a06ea75a7 10.1/RPMS/kdebase-progs-3.2.3-134.3.101mdk.i586.rpm a00553dd184a3c1950fec3c522ac4fdb 10.1/RPMS/kdelibs-common-3.2.3-98.1.101mdk.i586.rpm b5423f6281c545152517fa3f462a338b 10.1/RPMS/libkdebase4-3.2.3-134.3.101mdk.i586.rpm 5b68c49d7261db8b336d35d10f55fd80 10.1/RPMS/libkdebase4-devel-3.2.3-134.3.101mdk.i586.rpm b997f46a32fec2e66937024790a21ece 10.1/RPMS/libkdebase4-kate-3.2.3-134.3.101mdk.i586.rpm 356eeaec1611fa9052a7f90e25c21e34 10.1/RPMS/libkdebase4-kate-devel-3.2.3-134.3.101mdk.i586.rpm 7d7305d17435afa09bb67457668949a3 10.1/RPMS/libkdebase4-kmenuedit-3.2.3-134.3.101mdk.i586.rpm 4a1213eb224297ef834b3a6215adbacf 10.1/RPMS/libkdebase4-konsole-3.2.3-134.3.101mdk.i586.rpm ec781a7e1023d168b3aa6a53df54f699 10.1/RPMS/libkdecore4-3.2.3-98.1.101mdk.i586.rpm 1c5c87951f4977ad48edb3af0c432de0 10.1/RPMS/libkdecore4-devel-3.2.3-98.1.101mdk.i586.rpm 3a4c629b45ff88584e1789af79d909f9 10.1/SRPMS/kdebase-3.2.3-134.3.101mdk.src.rpm 1336c97fcbcce55e82256f315e8d391f 10.1/SRPMS/kdelibs-3.2.3-98.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: cc6f80a192d7e0162eee2f77f97076f6 x86_64/10.1/RPMS/kdebase-3.2.3-134.3.101mdk.x86_64.rpm 18ee5f00437b495ead1e90f02b5eb358 x86_64/10.1/RPMS/kdebase-common-3.2.3-134.3.101mdk.x86_64.rpm d6fb46a0279ef81ae70d6ea2e06b0ce2 x86_64/10.1/RPMS/kdebase-kate-3.2.3-134.3.101mdk.x86_64.rpm 1c5138058b2d3bfc40199149f0e83404 x86_64/10.1/RPMS/kdebase-kcontrol-data-3.2.3-134.3.101mdk.x86_64.rpm 4a0eede9628ffa0c04dda4e368a27d7a x86_64/10.1/RPMS/kdebase-kcontrol-nsplugins-3.2.3-134.3.101mdk.x86_64.rpm e1c0afb3911d0b10b5df47371743c0ad x86_64/10.1/RPMS/kdebase-kdeprintfax-3.2.3-134.3.101mdk.x86_64.rpm 0545ff39340a0f05ef11fbc4e89b5973 x86_64/10.1/RPMS/kdebase-kdm-3.2.3-134.3.101mdk.x86_64.rpm 457ccc0c30d59f43bec5f422576395ee x86_64/10.1/RPMS/kdebase-kdm-config-file-3.2.3-134.3.101mdk.x86_64.rpm 8095bea2b027cbb0430b5293424900b6 x86_64/10.1/RPMS/kdebase-kmenuedit-3.2.3-134.3.101mdk.x86_64.rpm 5997ca308d73acceef0c510bcec4a032 x86_64/10.1/RPMS/kdebase-konsole-3.2.3-134.3.101mdk.x86_64.rpm 2392898d9d5a2193fa5ab17684ec23d3 x86_64/10.1/RPMS/kdebase-nsplugins-3.2.3-134.3.101mdk.x86_64.rpm aee5e3ec7fd5f96c5b43da69516067c6 x86_64/10.1/RPMS/kdebase-progs-3.2.3-134.3.101mdk.x86_64.rpm f80ec082880d0e79eb3382f8bb8073d3 x86_64/10.1/RPMS/kdelibs-common-3.2.3-98.1.101mdk.x86_64.rpm 02075966c9cc4f4bbfa7ad42a4c104ad x86_64/10.1/RPMS/lib64kdebase4-3.2.3-134.3.101mdk.x86_64.rpm 31ab975cb164229c9d747a849e50c4ac x86_64/10.1/RPMS/lib64kdebase4-devel-3.2.3-134.3.101mdk.x86_64.rpm 803c8ca7d7d0f40764e7dd8341c0f885 x86_64/10.1/RPMS/lib64kdebase4-kate-3.2.3-134.3.101mdk.x86_64.rpm 2f09b408d1fade903d0af1db9b21a730 x86_64/10.1/RPMS/lib64kdebase4-kate-devel-3.2.3-134.3.101mdk.x86_64.rpm 1671dd96859fed9c4841e6d97b91c204 x86_64/10.1/RPMS/lib64kdebase4-kmenuedit-3.2.3-134.3.101mdk.x86_64.rpm 6d832f31d1800253c03e5219b6008033 x86_64/10.1/RPMS/lib64kdebase4-konsole-3.2.3-134.3.101mdk.x86_64.rpm 155ada78a109874be63de6ec0fd86587 x86_64/10.1/RPMS/lib64kdecore4-3.2.3-98.1.101mdk.x86_64.rpm 2375c638d3bea07bfa72ee6a4104ea2c x86_64/10.1/RPMS/lib64kdecore4-devel-3.2.3-98.1.101mdk.x86_64.rpm 3a4c629b45ff88584e1789af79d909f9 x86_64/10.1/SRPMS/kdebase-3.2.3-134.3.101mdk.src.rpm 1336c97fcbcce55e82256f315e8d391f x86_64/10.1/SRPMS/kdelibs-3.2.3-98.1.101mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================