DESCRIPTION
KDE is a very popular graphical desktop environment available for
GNU/Linux and other operating systems.
In several cases, kde applications call the ghostview program to
handle PS and PDF files in an insecure way (without the
-DPARANOIDSAFER or -SAFER parameters), which may allow attackers to
execute commands using crafted PS/PDF files[1,3]. Since these files
can came from remote or untrusted sources (e-mail, web sites and
network connections), remote attackers can exploit this vulnerability
to execute arbitrary commands in the user's context using such
sources as attack vectors.
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0204 to this issue[2].
Besides the fix for this vulnerability, the packages include other
minor bugfixes incorporated in the KDE 3.1.2 version[4] and the fixes
for the following problems reported in our bugzilla:
- #8229: Problem to mount a CD-ROM as a normal user[5];
- #8098: KDM default login is broken if KDE is not installed[6];
- #8190: kmplayer is the default player for all multimedia files[7].
* User of Conectiva Linux 7.0 and 8 are also exposed to this
vulnerability and can expect updated packages to be provided soon.
SOLUTION
It is recommended that all KDE users upgrade their packages. Please
note that after the new packages instalation, you must restart KDE in
order to run the new version.
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- ------------------------------------------------------------------------
-
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- ------------------------------------------------------------------------
-
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- ------------------------------------------------------------------------
-
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com
Hash: SHA1
- ------------------------------------------------------------------------
--
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- ------------------------------------------------------------------------
--
PACKAGE : kde
SUMMARY : PS/PDF file handling vulnerability and other fixes
DATE : 2003-06-30 17:03:00
ID : CLA-2003:668
RELEVANT
RELEASES : 9
- ------------------------------------------------------------------------
-
DESCRIPTION
KDE is a very popular graphical desktop environment available for
GNU/Linux and other operating systems.
In several cases, kde applications call the ghostview program to
handle PS and PDF files in an insecure way (without the
-DPARANOIDSAFER or -SAFER parameters), which may allow attackers to
execute commands using crafted PS/PDF files[1,3]. Since these files
can came from remote or untrusted sources (e-mail, web sites and
network connections), remote attackers can exploit this vulnerability
to execute arbitrary commands in the user's context using such
sources as attack vectors.
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0204 to this issue[2].
Besides the fix for this vulnerability, the packages include other
minor bugfixes incorporated in the KDE 3.1.2 version[4] and the fixes
for the following problems reported in our bugzilla:
- #8229: Problem to mount a CD-ROM as a normal user[5];
- #8098: KDM default login is broken if KDE is not installed[6];
- #8190: kmplayer is the default player for all multimedia files[7].
* User of Conectiva Linux 7.0 and 8 are also exposed to this
vulnerability and can expect updated packages to be provided soon.
SOLUTION
It is recommended that all KDE users upgrade their packages. Please
note that after the new packages instalation, you must restart KDE in
order to run the new version.
REFERENCES:
1.http://www.kde.org/info/security/advisory-20030409-1.txt
2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0204
3.http://bugzilla.conectiva.com.br/show_bug.cgi?id=8772
4.http://www.kde.org/announcements/changelogs/changelog3_1_1to3_1_2.php
5.http://bugzilla.conectiva.com.br/show_bug.cgi?id=8229
6.http://bugzilla.conectiva.com.br/show_bug.cgi?id=8098
7.http://bugzilla.conectiva.com.br/show_bug.cgi?id=8190
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-3.1.2-28535U90_2cl.i3
86.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-common-3.1.2-28535U90
_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-core-3.1.2-28535U90_2
cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-devel-3.1.2-28535U90_
2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-devel-static-3.1.2-28
535U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-doc-3.1.2-28535U90_2c
l.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kappfinder-3.1.2-2853
5U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kate-3.1.2-28535U90_2
cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kcontrol-3.1.2-28535U
90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kcontrol-doc-3.1.2-28
535U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kdesktop-3.1.2-28535U
90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-khelpcenter-3.1.2-285
35U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-khelpcenter-doc-3.1.2
-28535U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kicker-3.1.2-28535U90
_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kicker-doc-3.1.2-2853
5U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kio-smb-3.1.2-28535U9
0_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kmenuedit-3.1.2-28535
U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kmenuedit-doc-3.1.2-2
8535U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kscreensaver-3.1.2-28
535U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-ksysguard-3.1.2-28535
U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-ksysguard-doc-3.1.2-2
8535U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-ktip-3.1.2-28535U90_2
cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kwin-3.1.2-28535U90_2
cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-kxkb-3.1.2-28535U90_2
cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-libkonq-3.1.2-28535U9
0_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-nsplugins-3.1.2-28535
U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-sounds-3.1.2-28535U90
_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-themes-3.1.2-28535U90
_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdebase-wallpapers-3.1.2-2853
5U90_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kde-common-3.1.2-28535U90_2cl
.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-3.1.2-27724U90_1c
l.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-common-3.1.2-2772
4U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-devel-3.1.2-27724
U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-doc-3.1.2-27724U9
0_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kamera-3.1.2-2772
4U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kcoloredit-3.1.2-
27724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kdvi-3.1.2-27724U
90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kdvi-doc-3.1.2-27
724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kfax-3.1.2-27724U
90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kghostview-3.1.2-
27724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kghostview-doc-3.
1.2-27724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kiconedit-3.1.2-2
7724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kiconedit-doc-3.1
.2-27724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kmrml-3.1.2-27724
U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kooka-3.1.2-27724
U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kpaint-3.1.2-2772
4U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kpaint-doc-3.1.2-
27724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kpovmodeler-3.1.2
-27724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kruler-3.1.2-2772
4U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-ksnapshot-3.1.2-2
7724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-ksnapshot-doc-3.1
.2-27724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kuickshow-3.1.2-2
7724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kview-3.1.2-27724
U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdegraphics-kview-doc-3.1.2-2
7724U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs3-3.1.2-28927U90_1cl.i
386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs3-devel-3.1.2-28927U90
_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs-artsinterface-3.1.2-2
8927U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs-docbook-3.1.2-28927U9
0_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-3.1.2-29986U90_1cl
.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-common-3.1.2-29986
U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-devel-3.1.2-29986U
90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-doc-3.1.2-29986U90
_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-kdict-3.1.2-29986U
90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-kdict-doc-3.1.2-29
986U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-kget-3.1.2-29986U9
0_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-kit-3.1.2-29986U90
_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-kit-doc-3.1.2-2998
6U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-kmail-3.1.2-29986U
90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-kmailcvt-3.1.2-299
86U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-kmail-doc-3.1.2-29
986U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-knewsticker-3.1.2-
29986U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-knewsticker-doc-3.
1.2-29986U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-knode-3.1.2-29986U
90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-knode-doc-3.1.2-29
986U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-korn-3.1.2-29986U9
0_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-korn-doc-3.1.2-299
86U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-krdc-3.1.2-29986U9
0_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-krfb-3.1.2-29986U9
0_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-krfb-doc-3.1.2-299
86U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-ksirc-3.1.2-29986U
90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-ksirc-doc-3.1.2-29
986U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-ktalkd-3.1.2-29986
U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-ktalkd-doc-3.1.2-2
9986U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-lanbrowsing-3.1.2-
29986U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdenetwork-sounds-3.1.2-29986
U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kde-prefs-3.1.2-28916U90_1cl.
i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdm-3.1.2-28535U90_2cl.i386.r
pm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kdm-doc-3.1.2-28535U90_2cl.i3
86.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kmplayer-0.7.4a-29104U90_1cl.
i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kmplayer-doc-0.7.4a-29104U90_
1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/konqueror-3.1.2-28535U90_2cl.
i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/konqueror-doc-3.1.2-28535U90_
2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/konsole-3.1.2-28535U90_2cl.i3
86.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/konsole-doc-3.1.2-28535U90_2c
l.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kppp-3.1.2-29986U90_1cl.i386.
rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/kppp-doc-3.1.2-29986U90_1cl.i
386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/kdebase-3.1.2-28535U90_2cl.s
rc.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/kdegraphics-3.1.2-27724U90_1
cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/kdelibs3-3.1.2-28927U90_1cl.
src.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/kdenetwork-3.1.2-29986U90_1c
l.src.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/kde-prefs-3.1.2-28916U90_1cl
.src.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/kmplayer-0.7.4a-29104U90_1cl
.src.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- ------------------------------------------------------------------------
-
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- ------------------------------------------------------------------------
-
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- ------------------------------------------------------------------------
-
Copyright (c) 2003 Conectiva Inc.
http://www.conectiva.com
- ------------------------------------------------------------------------
-
subscribe: conectiva-updates-subscribe (at) papaleguas.conectiva.com (dot) br [email concealed]
unsubscribe: conectiva-updates-unsubscribe (at) papaleguas.conectiva.com (dot) br [email concealed]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE/AJgO42jd0JmAcZARAqGAAKDNByjt1PE7fZsglYUeQ00tE3jMmgCgus99
UIVsAOIF0rN7+xjv8vUuspE=
=HYhs
-----END PGP SIGNATURE-----
[ reply ]