Awaiting testing, Re: kde kjs vulnerabiity?

Tue Mar 7 05:23:11 UTC 2006

On Fri, 3 Feb 2006, David Houlder wrote:

> Hi...
> 
> Am I right in thinking that this...
> http://www.kde.org/info/security/advisory-20060119-1.txt
> ...currently affects FC3?
> Thanks
> 

Kdelibs packages remain available for testing in updates-testing that fix 
that.

FC2 and FC3 kdelibs is vulnerable to CVE-2006-0019, the KDE javascript
vulnerability.  Since the konqueror web-browser uses kdelibs, then
konqueror for FC2 & FC3 is also vulnerable to this (until kdelibs
is updated).

Red Hat's update that fixes CVE-2006-0019 in Red Hat Enterprise Linux has
been rated as having critical security impact by the Red Hat Security
Response Team.  

Kdelibs packages are also in testing for other vulnerabilities for RHL 7.3,
RHL 9, and FC1.  The more votes these packages get, the sooner we can
release them.

References:
   * "Heap-based buffer overflow in the encodeURI and decodeURI functions 
     in the kjs JavaScript interpreter engine in KDE 3.2.0 through 3.5.0
     allows remote attackers to execute arbitrary code via a crafted, 
     UTF-8 encoded URI."
     <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0019>

   * Announcement of KDE packages needing downloading and testing:
     <http://www.redhat.com/archives/fedora-legacy-list/2006-March/msg00002.html>

   * Bugzilla ticket for this and other kdelibs issues:
     <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178606>

Thanks.

	Kind regards,
	David Eisenstein