Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2009:1130-01] Critical: kdegraphics security update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Critical: kdegraphics security update

Advisory ID: RHSA-2009:1130-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1130.html

Issue date: 2009-06-25

CVE Names: CVE-2009-0945 CVE-2009-1709

=====================================================================

 

1. Summary:

 

Updated kdegraphics packages that fix two security issues are now available

for Red Hat Enterprise Linux 5.

 

This update has been rated as having critical security impact by the Red

Hat Security Response Team.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

RHEL Desktop Workstation (v. 5 client) - i386, x86_64

RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64

 

3. Description:

 

The kdegraphics packages contain applications for the K Desktop Environment

(KDE). Scalable Vector Graphics (SVG) is an XML-based language to describe

vector images. KSVG is a framework aimed at implementing the latest W3C SVG

specifications.

 

A use-after-free flaw was found in the KDE KSVG animation element

implementation. A remote attacker could create a specially-crafted SVG

image, which once opened by an unsuspecting user, could cause a denial of

service (Konqueror crash) or, potentially, execute arbitrary code with the

privileges of the user running Konqueror. (CVE-2009-1709)

 

A NULL pointer dereference flaw was found in the KDE, KSVG SVGList

interface implementation. A remote attacker could create a

specially-crafted SVG image, which once opened by an unsuspecting user,

would cause memory corruption, leading to a denial of service (Konqueror

crash). (CVE-2009-0945)

 

All users of kdegraphics should upgrade to these updated packages, which

contain backported patches to correct these issues. The desktop must be

restarted (log out, then log back in) for this update to take effect.

 

4. Solution:

 

Before applying this update, make sure that all previously-released

errata relevant to your system have been applied.

 

This update is available via Red Hat Network. Details on how to use

the Red Hat Network to apply this update are available at

http://kbase.redhat.com/faq/docs/DOC-11259

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

506246 - CVE-2009-1709 kdegraphics: KSVG Pointer use-after-free error in the SVG animation element (DoS, ACE)

506703 - CVE-2009-0945 kdegraphics: KSVG NULL-pointer dereference in the SVGList interface implementation (ACE)

 

6. Package List:

 

Red Hat Enterprise Linux Desktop (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdegraphics-3.5.4-13.el5_3.src.rpm

 

i386:

kdegraphics-3.5.4-13.el5_3.i386.rpm

kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm

 

x86_64:

kdegraphics-3.5.4-13.el5_3.x86_64.rpm

kdegraphics-debuginfo-3.5.4-13.el5_3.x86_64.rpm

 

RHEL Desktop Workstation (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdegraphics-3.5.4-13.el5_3.src.rpm

 

i386:

kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm

kdegraphics-devel-3.5.4-13.el5_3.i386.rpm

 

x86_64:

kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm

kdegraphics-debuginfo-3.5.4-13.el5_3.x86_64.rpm

kdegraphics-devel-3.5.4-13.el5_3.i386.rpm

kdegraphics-devel-3.5.4-13.el5_3.x86_64.rpm

 

RHEL Optional Productivity Applications (v. 5 server):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kdegraphics-3.5.4-13.el5_3.src.rpm

 

i386:

kdegraphics-3.5.4-13.el5_3.i386.rpm

kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm

kdegraphics-devel-3.5.4-13.el5_3.i386.rpm

 

x86_64:

kdegraphics-3.5.4-13.el5_3.x86_64.rpm

kdegraphics-debuginfo-3.5.4-13.el5_3.i386.rpm

kdegraphics-debuginfo-3.5.4-13.el5_3.x86_64.rpm

kdegraphics-devel-3.5.4-13.el5_3.i386.rpm

kdegraphics-devel-3.5.4-13.el5_3.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://www.redhat.com/security/team/key/#package

 

7. References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0945

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1709

http://www.redhat.com/security/updates/classification/#critical

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://www.redhat.com/security/team/contact/

 

Copyright 2009 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFKQ6krXlSAg2UNWIIRApsVAJwLS5oXtRA131j2vAvGD0/PxXZU+wCeJNKd

UVUGWZM2j0tnzzuj3ZmbOZk=

=9si/

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×