[Full-Disclosure] MDKSA-2003:049 - Updated kde3 packages fix arbitrary command execution

From: Mandrake Linux Security Team (security@linux-mandrake.com)
Date: 04/17/03

  • Next message: Muhammad Faisal Rauf Danka: "[Full-Disclosure] Fwd: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors"
    From: Mandrake Linux Security Team <security@linux-mandrake.com>
    To: full-disclosure@lists.netsys.com
    Date: 17 Apr 2003 21:02:34 -0000
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________

                    Mandrake Linux Security Update Advisory
    ________________________________________________________________________

    Package name: kde3
    Advisory ID: MDKSA-2003:049
    Date: April 17th, 2003

    Affected versions: 9.0, 9.1, Corporate Server 2.1
    ________________________________________________________________________

    Problem Description:

     A vulnerability was discovered by the KDE team in the way that KDE
     uses Ghostscript for processing PostScript and PDF files. A malicious
     attacker could provide a carefully constructed PDF or PostScript file
     to an end user (via web or mail) that could lead to the execution of
     arbitrary commands as the user viewing the file. The vulnerability
     can be triggered even by the browser generating a directory listing
     with thumbnails.
     
     All users are encouraged to upgrade to these new kdegraphics, kdebase,
     and kdelibs packages that contain patches to correct the problem.
     This issue is corrected upstream in KDE 3.0.5b and KDE 3.1.1a.
    ________________________________________________________________________

    References:
      
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0204
      http://www.kde.org/info/security/advisory-20030409-1.txt
    ________________________________________________________________________

    Updated Packages:
      
     Corporate Server 2.1:
     934ab3303bdfe0fc071f4d7f709ef401 corporate/2.1/RPMS/kdebase-3.0.5a-1.2mdk.i586.rpm
     fa4f76482512c6aaf8289ebe8a160d3a corporate/2.1/RPMS/kdebase-devel-3.0.5a-1.2mdk.i586.rpm
     df43d1eef62d3d4963a270ffafabc09e corporate/2.1/RPMS/kdebase-nsplugins-3.0.5a-1.2mdk.i586.rpm
     29245513bdf280b83b988dd34f6189f6 corporate/2.1/RPMS/kdelibs-3.0.5a-1.2mdk.i586.rpm
     a19b592bdbdf5354de12b59644fa504f corporate/2.1/RPMS/kdelibs-devel-3.0.5a-1.2mdk.i586.rpm
     f9043548de772408dd4c698de088eacc corporate/2.1/RPMS/kdegraphics-3.0.5a-1.2mdk.i586.rpm
     e7b5ec7e373fdd5450b58efebbeece33 corporate/2.1/RPMS/kdegraphics-devel-3.0.5a-1.2mdk.i586.rpm
     250d4699bfe5834fd0e9bc4ffb29cda9 corporate/2.1/SRPMS/kdebase-3.0.5a-1.2mdk.src.rpm
     397970927d3247fc6d492439e5fec3ba corporate/2.1/SRPMS/kdelibs-3.0.5a-1.2mdk.src.rpm
     d765b5a2a03360ebe7c854e8a59bab96 corporate/2.1/SRPMS/kdegraphics-3.0.5a-1.2mdk.src.rpm

     Mandrake Linux 9.0:
     934ab3303bdfe0fc071f4d7f709ef401 9.0/RPMS/kdebase-3.0.5a-1.2mdk.i586.rpm
     fa4f76482512c6aaf8289ebe8a160d3a 9.0/RPMS/kdebase-devel-3.0.5a-1.2mdk.i586.rpm
     df43d1eef62d3d4963a270ffafabc09e 9.0/RPMS/kdebase-nsplugins-3.0.5a-1.2mdk.i586.rpm
     29245513bdf280b83b988dd34f6189f6 9.0/RPMS/kdelibs-3.0.5a-1.2mdk.i586.rpm
     a19b592bdbdf5354de12b59644fa504f 9.0/RPMS/kdelibs-devel-3.0.5a-1.2mdk.i586.rpm
     f9043548de772408dd4c698de088eacc 9.0/RPMS/kdegraphics-3.0.5a-1.2mdk.i586.rpm
     e7b5ec7e373fdd5450b58efebbeece33 9.0/RPMS/kdegraphics-devel-3.0.5a-1.2mdk.i586.rpm
     250d4699bfe5834fd0e9bc4ffb29cda9 9.0/SRPMS/kdebase-3.0.5a-1.2mdk.src.rpm
     397970927d3247fc6d492439e5fec3ba 9.0/SRPMS/kdelibs-3.0.5a-1.2mdk.src.rpm
     d765b5a2a03360ebe7c854e8a59bab96 9.0/SRPMS/kdegraphics-3.0.5a-1.2mdk.src.rpm

     Mandrake Linux 9.1:
     e837efa5296b2aac2aeea66ae9bd78fa 9.1/RPMS/kdebase-3.1-83.1mdk.i586.rpm
     04b1a8b8e8e2df14956f15bf5e839300 9.1/RPMS/kdebase-devel-3.1-83.1mdk.i586.rpm
     535e83dd69ab6b12fd10e4f071e2236d 9.1/RPMS/kdebase-kdm-3.1-83.1mdk.i586.rpm
     2c3e16cc462864687ad6e069a724e9e3 9.1/RPMS/kdebase-nsplugins-3.1-83.1mdk.i586.rpm
     5ff6674a1e5416dbb55427e9ff3ee49d 9.1/RPMS/kdelibs-3.1-58.1mdk.i586.rpm
     57071f2442db26cb09ee698998023796 9.1/RPMS/kdelibs-common-3.1-58.1mdk.i586.rpm
     93bd6dc8ba2d5092a14f1528f7c9fb12 9.1/RPMS/kdelibs-devel-3.1-58.1mdk.i586.rpm
     10e3d6b17eeea31db72e96fc3e67e19e 9.1/RPMS/kdelibs-static-devel-3.1-58.1mdk.i586.rpm
     cf66a123564521716eb88cc62e89adc8 9.1/RPMS/kdegraphics-3.1-9.1mdk.i586.rpm
     be94af8460bc232199523b0f85db4978 9.1/RPMS/kdegraphics-devel-3.1-9.1mdk.i586.rpm
     32e95d6c0c859136f1be0e1d3af951c3 9.1/SRPMS/kdebase-3.1-83.1mdk.src.rpm
     3a6411fc388f14809ab92e0c34ee4ba2 9.1/SRPMS/kdelibs-3.1-58.1mdk.src.rpm
     c125fd93d6a69abce85986b38714245b 9.1/SRPMS/kdegraphics-3.1-9.1mdk.src.rpm

     Mandrake Linux 9.1/PPC:
     5f4bf8a92b89a372fa36d4c6cb72225f ppc/9.1/RPMS/kdebase-3.1-83.1mdk.ppc.rpm
     c3b396fc342700749c8849eadd815b2d ppc/9.1/RPMS/kdebase-devel-3.1-83.1mdk.ppc.rpm
     2cc4dc2962fb14dbb8f932df65131867 ppc/9.1/RPMS/kdebase-kdm-3.1-83.1mdk.ppc.rpm
     60e6736333b3a370c516af7ee803d282 ppc/9.1/RPMS/kdebase-nsplugins-3.1-83.1mdk.ppc.rpm
     99350dae77e920ae26353f963061a447 ppc/9.1/RPMS/kdelibs-3.1-58.1mdk.ppc.rpm
     fb9ce6e8404248513587eaba58ce7e6c ppc/9.1/RPMS/kdelibs-common-3.1-58.1mdk.ppc.rpm
     c649233711d3b197887d930411b25322 ppc/9.1/RPMS/kdelibs-devel-3.1-58.1mdk.ppc.rpm
     d3257808be980c89e58cf43a5bc6d7f3 ppc/9.1/RPMS/kdelibs-static-devel-3.1-58.1mdk.ppc.rpm
     f62f86681644894b4ebfcc4f6dff4ff0 ppc/9.1/RPMS/kdegraphics-3.1-9.1mdk.ppc.rpm
     02cd13f040a102ba314ff6c9083f45e6 ppc/9.1/RPMS/kdegraphics-devel-3.1-9.1mdk.ppc.rpm
     32e95d6c0c859136f1be0e1d3af951c3 ppc/9.1/SRPMS/kdebase-3.1-83.1mdk.src.rpm
     3a6411fc388f14809ab92e0c34ee4ba2 ppc/9.1/SRPMS/kdelibs-3.1-58.1mdk.src.rpm
     c125fd93d6a69abce85986b38714245b ppc/9.1/SRPMS/kdegraphics-3.1-9.1mdk.src.rpm
    ________________________________________________________________________

    Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
    ________________________________________________________________________

    To upgrade automatically, use MandrakeUpdate. The verification of md5
    checksums and GPG signatures is performed automatically for you.

    If you want to upgrade manually, download the updated package from one
    of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of
    FTP mirrors can be obtained from:

      http://www.mandrakesecure.net/en/ftp.php

    Please verify the update prior to upgrading to ensure the integrity of
    the downloaded package. You can do this with the command:

      rpm --checksig <filename>

    All packages are signed by MandrakeSoft for security. You can obtain
    the GPG public key of the Mandrake Linux Security Team from:

      https://www.mandrakesecure.net/RPM-GPG-KEYS

    Please be aware that sometimes it takes the mirrors a few hours to
    update.

    You can view other update advisories for Mandrake Linux at:

      http://www.mandrakesecure.net/en/advisories/

    MandrakeSoft has several security-related mailing list services that
    anyone can subscribe to. Information on these lists can be obtained by
    visiting:

      http://www.mandrakesecure.net/en/mlist.php

    If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

    Type Bits/KeyID Date User ID
    pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>

    - -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
    L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
    WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
    P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
    hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
    PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
    2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
    iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
    LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
    ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
    PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
    /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
    BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
    WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
    Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA
    BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H
    8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K
    +jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy
    YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j
    b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+
    AJsHhohgnU3ik4+gy3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0E
    OWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ
    9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR
    xBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z
    269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN
    6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZ
    jTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo
    0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJ
    EJGXlA==
    =yGlX
    - -----END PGP PUBLIC KEY BLOCK-----

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQE+nxZqmqjQ0CJFipgRAnjwAKC2mzPdjhOX6CiEtvNUy2PbXOLPkwCfTanL
    Vh3RDUyKQo84Diqmm0N0MGc=
    =yVon
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Muhammad Faisal Rauf Danka: "[Full-Disclosure] Fwd: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors"

    Relevant Pages

    • Re: [kde-linux] Another KDE 4.x print problem?
      ... one on my file server has never offered to upgrade KDE to 4.x anything ... ... I think security support runs out for it toward the ... Only security-related bugs justify a new package ... on a Debian system using the KDE packages created by the Debian maintainers. ...
      (KDE)
    • MDKSA-2002:023-1 - packages containing zlib update
      ... MandrakeSoft has published two advisories concerning this incident: ... For a list of prior packages ... Mandrake Linux 8.0/ppc: ... All packages are signed by MandrakeSoft for security. ...
      (Bugtraq)
    • [slackware-security] KDE packages updated (SSA:2003-213-01)
      ... New KDE packages are available for Slackware 9.0. ... Here are the details from the Slackware 9.0 ChangeLog: ... Note that this update addresses a security problem in Konqueror which may ...
      (Bugtraq)
    • Re: KDE3 on F9 and F10 HOWTO, now online
      ... WILL REINTRODUCE CRITICAL SECURITY VULNERABILITIES INTO YOUR SYSTEM AND MAY ... You should rebuild the KDE 3 packages against the current libraries ... "After a successful upgrade, you have to be careful when installing ...
      (Fedora)
    • MDKSA-2002:022 - zlib update
      ... causes zlib to free an area of memory twice. ... The second advisory contains additional packages that bring their own ... Mandrake Linux 8.0/ppc: ... All packages are signed by MandrakeSoft for security. ...
      (Bugtraq)