Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Red Hat, Suse patch critical KDE security hole
InfoWorld ^ | 23 January 2006 | James Niccolai

Posted on 01/23/2006 8:21:55 AM PST by ShadowAce

Red Hat and Suse have released patches for a critical security hole in their Linux distributions that stem from a vulnerability in the KDE desktop environment.

KDE is a user interface package used with several versions of Unix and Linux. The KDE hole was discovered Thursday and rated critical by both Red Hat and the French Security Incident Response Team (FrSIRT).

It affects the JavaScript engine used in various parts of KDE, including its Konqueror Web browser. The flaw could allow a remote attacker to launch an overflow attack and run arbitrary code on the user's machine, FrSIRT said.

Users could disable JavaScript in Konqueror as a workaround, but some Web sites might not display properly and installing the patches is better, said Suse, which is part of Novell.

The problem affects version 4 of Red Hat Enterprise Linux AS, ES, and WS, and also version 4 of Red Hat Desktop. Red Hat released patches for those products late last week on the Red Hat Network, it said.

The versions of Suse Linux affected are 10.0, 9.3, 9.2 and 9.1, according to a Suse advisory at http://www.novell.com/linux/security/advisories/2006_03_kdelibs3.html/

KDE also released patches for the hole, and an advisory at http://kde.org/info/security/advisory-20060119-1.txt. The flaw affects KDE 3.2.0 up to and including KDE 3.5.0, it said.

The newest version of KDE released in November, KDE 3.5, is apparently not affected. Also not affected are Red Hat Enterprise Linux 3 or 2.1, Red Hat said.

The FrSIRT advisory is at http://www.frsirt.com/english/advisories/2006/0279


TOPICS: Technical
KEYWORDS: kde; linux; patch
Navigation: use the links below to view more comments.
first 1-2021-31 next last
The flaw affects KDE 3.2.0 up to and including KDE 3.5.0, it said.
The newest version of KDE released in November, KDE 3.5, is apparently not affected.

Does this make any sense?

1 posted on 01/23/2006 8:21:57 AM PST by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

2 posted on 01/23/2006 8:22:14 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Say it ain't so Linus.


3 posted on 01/23/2006 8:23:22 AM PST by conservative barking moonbat (1989 Light years from home)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I thought only IE had these kind of issues..... ;)


4 posted on 01/23/2006 8:25:06 AM PST by BlueStateDepression
[ Post Reply | Private Reply | To 1 | View Replies]

To: conservative barking moonbat
Say it ain't so Linus.

LOL! On a more serious note, though, Linus has nothing to do with KDE. KDE is strictly a user app, and not related to the kernel.

5 posted on 01/23/2006 8:25:13 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 3 | View Replies]

To: conservative barking moonbat

Understand that this is not a "train" that Linus controls.


6 posted on 01/23/2006 8:25:50 AM PST by taxcontrol
[ Post Reply | Private Reply | To 3 | View Replies]

To: BlueStateDepression
I thought only IE had these kind of issues

Nah. But the difference is that the patch was released with the flaw information. MS would wait until the screams from customers would force them to patch.

7 posted on 01/23/2006 8:26:36 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce
WINDOWMAKER!!

It Works!

Very low resource overhead too . . . And it looks neat!


8 posted on 01/23/2006 8:58:15 AM PST by blues_guitarist (Ez. 38 & 39 <--- It's closer than you think!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: BlueStateDepression

"I thought only IE had these kind of issues..... ;"

Nothings perfect. While this is considered "critical" since it can allow another to execute arbitrary code on an affected machine; it is a rather narrow vulnerability. For it to be exploited one would have to visit a web site and use Konquerer as the browser. Now I'm sure a few folks browse with Konquerer, but the vast majority use Firefox, Mozilla, or Opera; non of which are vulnerable to this flaw.

Just the same, I've already downloaded and applied the patch!


9 posted on 01/23/2006 9:04:50 AM PST by crescen7 (lighten up)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce
The flaw affects KDE 3.2.0 up to and including KDE 3.5.0, it said. The newest version of KDE released in November, KDE 3.5, is apparently not affected. Does this make any sense?

Only if the current version of KDE 3.5 is at revision level 1 or higher (3.5.1 or higher). It would have been smarter writing to have been more specific, rather than just referring to the major/minor release numbers.

10 posted on 01/23/2006 9:06:53 AM PST by kevkrom
[ Post Reply | Private Reply | To 1 | View Replies]

To: blues_guitarist
I also like a nice, clean, desktop:


11 posted on 01/23/2006 9:14:04 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 8 | View Replies]

To: ShadowAce

I think I'm in a very small minority - I know I'm "supposed" to like KDE (more powerful, more configurable) but try as I might, I find GNOME to be more my cup of tea.


12 posted on 01/23/2006 9:59:37 AM PST by 2 Kool 2 Be 4-Gotten (Is your problem ignorance or apathy? I don't know and I don't care.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: blues_guitarist
Agreed. WindowMaker is very clean, and my preferred environment, along with KDE apps.
13 posted on 01/23/2006 9:59:45 AM PST by clyde asbury (Atomic Amish)
[ Post Reply | Private Reply | To 8 | View Replies]

To: blues_guitarist; ShadowAce
The least you could do is post links, you lot.

On a related topic, now I've found a place where you probably are reading this topic I've a question for all you 'nix users out there: I am considering converting this box to Linux for dedicated Web browsing, but I can not seem to locate a Firewall that works like My two favourite 'Doze apps do (BlackIce Defender and Agnitum Outpost)-namely, they work by not allowing ANY connection to be made unless specifically allowed on each individual basis. I.e., if I click on the FR site, a little box pops up stating "(Application)(Opera Browser) is requesting a connection with such-and-such a site (www.freerepublic.com). |Allow|Deny|Create Rule for| ?"

Then I click on the Create button and the window switches to a box where I can allow the connection to be allowed once, denied once, or allowed/denied automatically every following time. Using this method, NO spyware/adware/malware has been able to infect this machine, and on other sites I can bypass all the ad-muck popups as well which cleans up the browsing effect markedly. Any recommendations?

I am also looking for a newer version of Linux that can run on an older machine, such as an older one with about 64M of memory or so. Hopefully, one that can be configured to run in extreme power-saving mode so I can leave it on continuously without sending My electricity bill through the roof. Damn Small Linux (DSL) works quite well, but it is rather sparse and I would like something with a little more apps to it. Any ideas from all you experts out there?

14 posted on 01/23/2006 12:08:25 PM PST by Utilizer (What does not kill you... - can sometimes damage you QUITE severely.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Utilizer
Xfce Desktop

Hope that helps.

As far as firewall, I have made a conscious effort to NOT comment of existing firewalls, as I created my own. I took an old P120, installed a minimal distro on it (Can't remember it offhand), and manually edited the ipchains file to drop all connections coming in that I did not specifically request.

Nobody ever gets in, and I can get out. It took me about 4-5 lines of code.

As far as a lightweight distro, try Puppy Linux. It contains a fairly decent set of software, and it's a popular distro.

I just remembered--I've heard pretty good things about Devil Linux--a distro made for firewalls and routers. I have had no experience with it, so I don't know how it works, I would doubt that it will work exactly like you are used to, though.

15 posted on 01/23/2006 12:20:32 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 14 | View Replies]

To: ShadowAce
The KDE hole was discovered Thursday...

After being in place since at least February 2004, when KDE 3.2 was released. Someone want to explain that "many eyeballs" business to me again?

16 posted on 01/23/2006 12:24:43 PM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
My thanks, mate. I always appreciate the wealth of knowledge fellow FReepers helpfully provide for others who are interested in such information. Especially for individuals such as I who candidly admit to being relative 'newbies' on such a topic and at the beginning side of the bell-curve of such information and looking to increase their knowledge of same. Preferably without wading through pages and pages of FUD or outright propaganda for a pet peeve in leiu of helpful information, or deliberately unrelated replies.

Again, thanks and feel free to send more info that might be relevant anytime you come across it.

Cheers!

17 posted on 01/23/2006 12:32:19 PM PST by Utilizer (What does not kill you... - can sometimes damage you QUITE severely.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Senator Bedfellow
Someone want to explain that "many eyeballs" business to me again?

What are you suggesting? "Many eyeballs" translates into instantaneous discovery? How long did the WMF vulnerabilty exist before discovery? Hint: It was much longer than two years.

18 posted on 01/23/2006 12:40:22 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 16 | View Replies]

To: ShadowAce
All bugs are shallow, right?

Actually, my point is quite simple - KDE, like most OSS projects, has a dedicated core of developers who do the vast, vast majority of coding for the project. The chances of someone outside this inner core of developers actually sitting down with the code and looking for bugs are basically non-existent. The projects are too large and too complicated for dillettantes to have much of an impact - the amount of work needed to familiarize yourself with the codebase in order to make meaningful contributions pretty much bars folks from simply dipping in and shotgunning some bug fixes into place. So, effectively, the "many eyeballs" paradigm is simply an illusion in most cases. It sounds nice in theory, but it doesn't really exist in reality.

19 posted on 01/23/2006 1:01:58 PM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 18 | View Replies]

To: Senator Bedfellow
I do understand your point. With a project the size of KDE, it may even be valid. The difference as I see it, has to do with the motivation/ability of the developers. With a closed-source project, the company must balance talent with costs, thus the developers assigned to the project usually barely cover the needs of that project. Hence, their ability to discover, track, and correct bugs is limited by time and priorities.

With FLOSS, any developer can join the project. The project cansupport as many interested developers as want to join. This, plus the motivation of the involved developers being more project-oriented than closed-source developers, and yes--all bugs are shallow in comparison with closed-source projects.

20 posted on 01/23/2006 1:15:46 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 19 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-31 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson