RHEL 4 : kdelibs (RHSA-2005:065)

This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated kdelibs packages that resolve security issues in Konqueror are
now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the
Red Hat Security Response Team.

The kdelibs packages include libraries for the K Desktop Environment.

Two flaws were found in the sandbox environment used to run
Java-applets in the Konqueror web browser. If a user has Java enabled
in Konqueror and visits a malicious website, the website could run a
carefully crafted Java-applet and obtain escalated privileges allowing
reading and writing of arbitrary files with the privileges of the
victim. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2004-1145 to this issue.

A flaw was discovered in the FTP kioslave. KDE applications such as
Konqueror could be forced to execute arbitrary FTP commands via a
carefully crafted ftp URL. The URL could also be crafted in such a way
as to send an arbitrary email via SMTP. An attacker could make use of
this flaw if a victim visits a malicious website. The Common
Vulnerabilities and Exposures project has assigned the name
CVE-2004-1165 to this issue.

Users should update to these erratum packages which contain backported
patches to correct these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2004-1145.html
https://www.redhat.com/security/data/cve/CVE-2004-1165.html
http://www.kde.org/info/security/advisory-20041220-1.txt
http://www.kde.org/info/security/advisory-20050101-1.txt
http://rhn.redhat.com/errata/RHSA-2005-065.html

Solution :

Update the affected kdelibs and / or kdelibs-devel packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 17177 ()

Bugtraq ID:

CVE ID: CVE-2004-1145
CVE-2004-1165