ftp://updates.Red Hat.com/6.0/sparc/
kdeadmin-1.1.2-3.sparc.rpm
kdebase-1.1.2-11.sparc.rpm
kdegames-1.1.2-2.sparc.rpm
kdegraphics-1.1.2-2.sparc.rpm
kdelibs-
1.1.2-9.sparc.rpm
kdemultimedia-1.1.2-3.sparc.rpm
kdenetwork-1.1.2-4.sparc.rpm
kdesupport-1.1.2-3.sparc.rpm
kdetoys-
1.1.2-2.sparc.rpm
kdeutils-1.1.2-2.sparc.rpm
korganizer-1.1.1-2.sparc.rpm
kpilot-
3.1b9-3.sparc.rpm
7. Problem description:
Red Hat Linux 6.0 shipped with KDE 1.1.1pre2, the latest release
available at the time we went into production. There were a number of
configuration and security bugs in the original packages.
kmail, the kde mail reader, had a bug related to decoding mime
attachments in an unsafe manner. Attachments were written using an
easily predictable filename to a temporary directory. This could
could then be be exploited to overwrite arbitrary files owned by the
person using kmail via a symlink attack.
8. Solution:
Upgrade to KDE 1.1.1 final, which fixes a number of bugs present in
the previous release and contains additional patches to correct
security holes in kmail and kvt.
For each RPM for your particular architecture, run:
rpm -Uvh FILENAME
where filename is the name of the RPM.
9. Verification:
These packages are also PGP signed by Red Hat Inc. for security. Our
key is available at:
http://www.Red Hat.com/corp/contac
t.html
You can verify each package with the following command:
rpm --checksig
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp
10. References:
http://www.geek-girl.com/bugtraq/1999_2/0685.html
This URL describes the kmail security hole.
New KDE RPMs are available for Red Hat Linux 6.0. These RPMs upgrade the
1.1.1pre2 release to 1.1.1 final + fixes. Several security holes have been
closed, and other bugs noted in the original RPMs have been corrected.