Mandrake Linux Security Advisory : kdelibs (MDKSA-2004:150)

high Nessus Plugin ID 15981
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Mandrake Linux host is missing one or more security updates.

Description

Daniel Fabian discovered a potential privacy issue in KDE. When creating a link to a remote file from various applications, including Konqueror, the resulting URL may contain the authentication credentials used to access that remote resource. This includes, but is not limited to, browsing SMB (Samba) shares. Upon further investigation, it was found that the SMB protocol handler also unnecessarily exposed authentication credentials (CVE-2004-1171).

Another vulnerability was discovered where a malicious website could abuse Konqueror to load its own content into a window or tab that was opened by a trusted website, or it could trick a trusted website into loading content into an existing window or tab. This could lead to the user being confused as to the origin of a particular webpage and could have the user unknowingly send confidential information intended for a trusted site to the malicious site (CVE-2004-1158).

The updated packages contain a patch from the KDE team to solve this issue.

Additionally, the kdelibs and kdebase packages for Mandrakelinux 10.1 contain numerous bugfixes. New qt3 packages are being provided for Mandrakelinux 10.0 that are required to build the kdebase package.

Solution

Update the affected packages.

See Also

http://www.kde.org/info/security/advisory-20040811-3.txt

http://www.kde.org/info/security/advisory-20041209-1.txt

Plugin Details

Severity: High

ID: 15981

File Name: mandrake_MDKSA-2004-150.nasl

Version: 1.18

Type: local

Published: 12/15/2004

Updated: 1/6/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:kdebase, p-cpe:/a:mandriva:linux:kdebase-common, p-cpe:/a:mandriva:linux:kdebase-kate, p-cpe:/a:mandriva:linux:kdebase-kcontrol-data, p-cpe:/a:mandriva:linux:kdebase-kcontrol-nsplugins, p-cpe:/a:mandriva:linux:kdebase-kdeprintfax, p-cpe:/a:mandriva:linux:kdebase-kdm, p-cpe:/a:mandriva:linux:kdebase-kdm-config-file, p-cpe:/a:mandriva:linux:kdebase-kmenuedit, p-cpe:/a:mandriva:linux:kdebase-konsole, p-cpe:/a:mandriva:linux:kdebase-nsplugins, p-cpe:/a:mandriva:linux:kdebase-progs, p-cpe:/a:mandriva:linux:kdelibs-common, p-cpe:/a:mandriva:linux:lib64kdebase4, p-cpe:/a:mandriva:linux:lib64kdebase4-devel, p-cpe:/a:mandriva:linux:lib64kdebase4-kate, p-cpe:/a:mandriva:linux:lib64kdebase4-kate-devel, p-cpe:/a:mandriva:linux:lib64kdebase4-kmenuedit, p-cpe:/a:mandriva:linux:lib64kdebase4-konsole, p-cpe:/a:mandriva:linux:lib64kdebase4-nsplugins, p-cpe:/a:mandriva:linux:lib64kdebase4-nsplugins-devel, p-cpe:/a:mandriva:linux:lib64kdecore4, p-cpe:/a:mandriva:linux:lib64kdecore4-devel, p-cpe:/a:mandriva:linux:lib64qt3, p-cpe:/a:mandriva:linux:lib64qt3-devel, p-cpe:/a:mandriva:linux:lib64qt3-mysql, p-cpe:/a:mandriva:linux:lib64qt3-odbc, p-cpe:/a:mandriva:linux:lib64qt3-psql, p-cpe:/a:mandriva:linux:libkdebase4, p-cpe:/a:mandriva:linux:libkdebase4-devel, p-cpe:/a:mandriva:linux:libkdebase4-kate, p-cpe:/a:mandriva:linux:libkdebase4-kate-devel, p-cpe:/a:mandriva:linux:libkdebase4-kmenuedit, p-cpe:/a:mandriva:linux:libkdebase4-konsole, p-cpe:/a:mandriva:linux:libkdebase4-nsplugins, p-cpe:/a:mandriva:linux:libkdebase4-nsplugins-devel, p-cpe:/a:mandriva:linux:libkdecore4, p-cpe:/a:mandriva:linux:libkdecore4-devel, p-cpe:/a:mandriva:linux:libqt3, p-cpe:/a:mandriva:linux:libqt3-devel, p-cpe:/a:mandriva:linux:libqt3-mysql, p-cpe:/a:mandriva:linux:libqt3-odbc, p-cpe:/a:mandriva:linux:libqt3-psql, p-cpe:/a:mandriva:linux:mandrakelinux-kde-config-file, p-cpe:/a:mandriva:linux:qt3-common, p-cpe:/a:mandriva:linux:qt3-example, cpe:/o:mandrakesoft:mandrake_linux:10.0, cpe:/o:mandrakesoft:mandrake_linux:10.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 12/15/2004

Reference Information

CVE: CVE-2004-0721, CVE-2004-1158, CVE-2004-1171

MDKSA: 2004:150