Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 25: 2017-03-12 Critical kdelibs3 Update for Leak Issues

fedora
Calendar Grey March 12, 2017
Dist Fedora Esm H88
Tackling stability concerns in kdelibs3 for Fedora 25, particularly focusing on tar extraction flaws and potential data exposure risks.
This kdelibs3 (KDE 3 compatibility libraries) update fixes the security issues: * CVE-2016-6232 (karchive): Extraction of tar files possible to arbitrary system locations * CVE-201...

Summary

Libraries for KDE 3:

KDE Libraries included: kdecore (KDE core library), kdeui (user interface),

kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking),

kspell (spelling checker), jscript (javascript), kab (addressbook),

kimgio (image manipulation).

Update Information:

This kdelibs3 (KDE 3 compatibility libraries) update fixes the security issues: * CVE-2016-6232 (karchive): Extraction of tar files possible to arbitrary system locations * CVE-2017-6410 (kio): Information Leak when accessing https when using a malicious PAC file for the KDE 3 compatibility libraries. (Security updates for KDE Frameworks 5 (kf5-karchive resp. kf5-kio) and for the KDE 4 compatibility libraries (kdelibs 4) have already been submitted.) In addition, the KDE 3 compatibility version of KCrash was modified to use the DrKonqi from Plasma 5 rather than from kde-runtime 4. (The original KDE 3 DrKonqi was already dropped years ago.) The kde-runtime 4 DrKonqi is not installed by default and will be removed entirely in future Fedora versions, the Plasma 5 version of DrKonqi can also be used for legacy applications.

Topics%20covered

Topics Covered

security advisory critical issue information leak software update Fedora kdelibs3 tar extraction

Change Log

References


[ 1 ] Bug #1427808 - CVE-2017-6410 kf5-kio, kdelibs: Information Leak when accessing https when using a malicious PAC file https://bugzilla.redhat.com/show_bug.cgi?id=1427808 [ 2 ] Bug #1357410 - CVE-2016-6232 kf5-karchive: Extraction of tar files possible to arbitrary system locations https://bugzilla.redhat.com/show_bug.cgi?id=1357410

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade kdelibs3' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html

Severity
critical
Lowest
Low
Medium
High
Critical

Name: kdelibs3
Product: Fedora 25
Version: 3.5.10
Release: 84.fc25
URL: https://kde.org/
Summary: KDE 3 Libraries

Topics%20covered

Topics Covered

security advisory critical issue information leak software update Fedora kdelibs3 tar extraction

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here