Next Page >>
KDE
#2009-015 KDE multiple issues
Description:
KDE, an open source desktop environment, suffers from several bugs that
pose a security risk.
The oCERT team was contacted by Portcullis Security requesting help in
handling a series of issues reported to the KDE project back in July 2007.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
======================================================================
Secunia Research 13/05/2010
- KDE KGet Insecure File Operation Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
======================================================================
Secunia Research 13/05/2010
- KDE KGet metalink "name" Directory Traversal Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
Hash: RIPEMD160
---------------------------------------------------
| BuHa Security-Advisory #16 | Aug 01st, 2007 |
---------------------------------------------------
| Vendor | KDE's Konqueror |
| URL | http://www.konqueror.org/ |
| Version | <= 3.5.7 |
| Risk | Low (Denial Of Service) |
---------------------------------------------------
===========================================================
Ubuntu Security Notice USN-871-2 December 11, 2009
kde4libs vulnerabilities
https://launchpad.net/bugs/495301
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.10
Ubuntu 9.04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Poppler, KDE: User-assisted execution of arbitrary code
Date: November 18, 2007
Bugs: #196735, #198409
ID: 200711-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Mandriva Linux Security Advisory MDVSA-2010:027
http://www.mandriva.com/security/
_______________________________________________________________________
Package : kdelibs4
Date : January 27, 2010
Affected: 2009.1
_______________________________________________________________________
Problem Description:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: KOffice, KWord, KPDF, KDE Graphics Libraries: Stack-based
buffer overflow
Date: October 09, 2007
Bugs: #187139
ID: 200710-08
- --- 0.Description ---
The SeaMonkey project is a community effort to develop the SeaMonkey all-in-one internet application suite (see below). Such a software suite was previously made popular by Netscape and Mozilla, and the SeaMonkey project continues to develop and deliver high-quality updates to this concept. Containing an Internet browser, email & newsgroup client with an included web feed reader, HTML editor, IRC chat and web development tools, SeaMonkey is sure to appeal to advanced users, web developers and corporate users.
- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. SeaMonkey has the same dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in Firefox 3.5.4 and fix
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdtoa.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.41&rev2=3.42
has been used to patch SeaMonkey 2.0.
Mandriva Linux Security Advisory MDVSA-2009:330
http://www.mandriva.com/security/
_______________________________________________________________________
Package : kdelibs
Date : December 10, 2009
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
Mandriva Linux Security Advisory MDVSA-2009:346
http://www.mandriva.com/security/
_______________________________________________________________________
Package : kde
Date : December 29, 2009
Affected: 2008.0
_______________________________________________________________________
Problem Description:
- --- 0.Description ---
K-Meleon is an extremely fast, customizable, lightweight web browser based on the Gecko layout engine developed by Mozilla which is also used by Firefox. K-Meleon is free, open source software released under the GNU General Public License and is designed specifically for Microsoft Windows (Win32) operating systems.
- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---
The main problem exist in dtoa implementation. K-Meleon has the same dtoa as a KDE, Opera and all BSD systems. This issue has been fixed in Firefox 3.5.4 and fix
http://securityreason.com/achievement_securityalert/63
but fix for SREASONRES:20090625, used by openbsd was not good.
More information about fix for openbsd and similars SREASONRES:20091030,
Mandriva Linux Security Advisory MDKSA-2007:157
http://www.mandriva.com/security/
_______________________________________________________________________
Package : kdelibs
Date : August 10, 2007
Affected: 2007.1
_______________________________________________________________________
Problem Description:
resulting in the execution of arbitrary code.
Background
==========
Qt is a cross-platform GUI framework, which is used e.g. by KDE.
Affected packages
=================
-------------------------------------------------------------------
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: KDE start_kdeinit: Multiple vulnerabilities
Date: April 29, 2008
Bugs: #218933
ID: 200804-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Mandriva Linux Security Advisory MDVSA-2010:028
http://www.mandriva.com/security/
_______________________________________________________________________
Package : kdelibs4
Date : January 27, 2010
Affected: 2010.0
_______________________________________________________________________
Problem Description:
- - FreeBSD
- - MacOSX
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
===========================================================
Ubuntu Security Notice USN-871-1 December 11, 2009
kdelibs vulnerability
CVE-2009-0689
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Debian-specific: no
CVE Id(s) : CVE-2007-4352 CVE-2007-5392 CVE-2007-5393
Debian Bug : 450631
Several vulnerabilities have been discovered in xpdf code that is
embedded in koffice, an integrated office suite for KDE. These flaws
could allow an attacker to execute arbitrary code by inducing the user
to import a specially crafted PDF document.
The Common Vulnerabilities and Exposures project identifies the
following problems:
of arbitrary code in some Qt applications.
Background
==========
Qt is a cross-platform GUI framework, which is used e.g. by KDE.
Affected packages
=================
-------------------------------------------------------------------
konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers
to spoof the data: URI scheme in the address bar via a long URI with
trailing whitespace, which prevents the beginning of the URI from
being displayed. (CVE-2007-3820)
KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address
bar by calling setInterval with a small interval and changing the
window.location property. (CVE-2007-4224)
Visual truncation vulnerability in KDE Konqueror 3.5.7 allows remote
attackers to spoof the URL address bar via an http URI with a large
Debian Security Advisory DSA-1998-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
February 17, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : kdelibs
Vulnerability : buffer overflow
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2009-0689
Mandriva Linux Security Advisory MDVSA-2008:097
http://www.mandriva.com/security/
_______________________________________________________________________
Package : kdelibs
Date : May 6, 2008
Affected: 2008.0, 2008.1
_______________________________________________________________________
Problem Description:
===========================================================
Ubuntu Security Notice USN-822-1 August 24, 2009
kde4libs, kdelibs vulnerabilities
CVE-2009-0945, CVE-2009-1687, CVE-2009-1690, CVE-2009-1698
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
The pcre library and utilities are not known to be exposed via any
privileged or remote interfaces within rPath Linux by default, but many
applications linked to the pcre library are routinely exposed to remote
or untrusted data; examples include httpd, some PHP applications, and
various KDE components.
http://wiki.rpath.com/Advisories:rPSA-2008-0086
Copyright 2008 rPath, Inc.
This file is distributed under the terms of the MIT License.
===========================================================
Ubuntu Security Notice USN-608-1 May 06, 2008
kdelibs vulnerability
CVE-2008-1671
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 7.04
Ubuntu 7.10
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2007-1799
Debian Bug : 432007
It was discovered that ktorrent, a BitTorrent client for KDE, was vulnerable
to a directory traversal bug which potentially allowed remote users to
overwrite arbitrary files.
This updated advisory correctly increases the version number of the
fixed package such that it is installable upon the etch release of Debian.
a local user to gain elevated privileges.
Background
==========
KDM is the Display Manager for the graphical desktop environment KDE.
It is part of the kdebase package.
Affected packages
=================
> Tested with Konqueror 3.5.7 on Linux 2.6
Again, it didn't work. My address bar showed "%20@alt.swiecki.net/saft2.html", aligned to the right.
Sure, if you scroll all the way to the left you'll just see www.google.com, but otherwise the
address shown is what I reported above.
Tested with Konqueror 3.5.5, KDE 3.5.5, kernel 2.6.21-r4 (gentoo), 64bit version.
Next Page>>
|
