GLSA: kde-3.x (200304-04) - gentoo-announce - Gentoo Mailing List Archives

From:	Daniel Ahlberg <aliz@g.o>
To:	gentoo-announce@g.o
Subject:	GLSA: kde-3.x (200304-04)
Date:	Thu, 10 Apr 2003 16:03:51
Message-Id:	`20030410153500.1234733A13@mail1.tamperd.net`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - ---------------------------------------------------------------------

5

GENTOO LINUX SECURITY ANNOUNCEMENT 200304-04

6

- - ---------------------------------------------------------------------

7

8

          PACKAGE : kde-3.x

9

          SUMMARY : aribitrary code execution

10

             DATE : 2003-04-10 15:34 UTC

11

          EXPLOIT : remote

12

VERSIONS AFFECTED : <3.1.1a || <3.0.5b

13

    FIXED VERSION : >=3.1.1a || >=3.0.5b

14

              CVE : 

15

16

- - ---------------------------------------------------------------------

17

18

- From advisory:

19

20

"KDE uses Ghostscript software for processing of PostScript (PS)

21

and PDF files in a way that allows for the execution of arbitrary

22

commands that can be contained in such files.

23

24

An attacker can prepare a malicious PostScript or PDF file which will

25

provide the attacker with access to the victim's account and privileges

26

when the victim opens this malicious file for viewing or when the

27

victim browses a directory containing such malicious file and has

28

file previews enabled.

29

30

An attacker can provide malicious files remotely to a victim in an

31

e-mail, as part of a webpage, via an ftp server and possible other 

32

means."

33

34

Read the full advisory at:

35

http://www.kde.org/info/security/advisory-20030409-1.txt

36

37

INFORMATION REGARDING OTHER ARCHITECTURES THAN X86

38

39

kde-3.1.1a and kde-3.0.5b are currently only marked stable for x86. 

40

If you have succesfully compiled and merged 3.1.1a or 3.0.5a on any 

41

other architecture than x86 please report this to kde@g.o.

42

43

SOLUTION

44

45

It is recommended that all Gentoo Linux users who are running

46

kde-base/kde upgrade to kde-3.1.1a or kde-3.0.5b as follows:

47

48

emerge sync

49

emerge kde OR \=kde-base/kde-3.0.5b

50

emerge clean

51

52

- - ---------------------------------------------------------------------

53

aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz

54

kde@g.o

55

- - ---------------------------------------------------------------------

56

-----BEGIN PGP SIGNATURE-----

57

Version: GnuPG v1.2.1 (GNU/Linux)

58

59

iD8DBQE+lY8jfT7nyhUpoZMRAvLiAJ9H88aDx2IA/Hv/PucuCDLf+I1N8gCfc4QF

60

SEzK/MyCf96Z5CSmQ2hNtlk=

61

=j+2O

62

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - ---------------------------------------------------------------------
5	GENTOO LINUX SECURITY ANNOUNCEMENT 200304-04
6	- - ---------------------------------------------------------------------
7
8	PACKAGE : kde-3.x
9	SUMMARY : aribitrary code execution
10	DATE : 2003-04-10 15:34 UTC
11	EXPLOIT : remote
12	VERSIONS AFFECTED : <3.1.1a \|\| <3.0.5b
13	FIXED VERSION : >=3.1.1a \|\| >=3.0.5b
14	CVE :
15
16	- - ---------------------------------------------------------------------
17
18	- From advisory:
19
20	"KDE uses Ghostscript software for processing of PostScript (PS)
21	and PDF files in a way that allows for the execution of arbitrary
22	commands that can be contained in such files.
23
24	An attacker can prepare a malicious PostScript or PDF file which will
25	provide the attacker with access to the victim's account and privileges
26	when the victim opens this malicious file for viewing or when the
27	victim browses a directory containing such malicious file and has
28	file previews enabled.
29
30	An attacker can provide malicious files remotely to a victim in an
31	e-mail, as part of a webpage, via an ftp server and possible other
32	means."
33
34	Read the full advisory at:
35	http://www.kde.org/info/security/advisory-20030409-1.txt
36
37	INFORMATION REGARDING OTHER ARCHITECTURES THAN X86
38
39	kde-3.1.1a and kde-3.0.5b are currently only marked stable for x86.
40	If you have succesfully compiled and merged 3.1.1a or 3.0.5a on any
41	other architecture than x86 please report this to kde@g.o.
42
43	SOLUTION
44
45	It is recommended that all Gentoo Linux users who are running
46	kde-base/kde upgrade to kde-3.1.1a or kde-3.0.5b as follows:
47
48	emerge sync
49	emerge kde OR \=kde-base/kde-3.0.5b
50	emerge clean
51
52	- - ---------------------------------------------------------------------
53	aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
54	kde@g.o
55	- - ---------------------------------------------------------------------
56	-----BEGIN PGP SIGNATURE-----
57	Version: GnuPG v1.2.1 (GNU/Linux)
58
59	iD8DBQE+lY8jfT7nyhUpoZMRAvLiAJ9H88aDx2IA/Hv/PucuCDLf+I1N8gCfc4QF
60	SEzK/MyCf96Z5CSmQ2hNtlk=
61	=j+2O
62	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce