-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SUSE Security Announcement

        Package:                Qt
        Announcement ID:        SUSE-SA:2006:063
        Date:                   Wed, 25 Oct 2006 16:00:00 +0000
        Affected Products:      Novell Linux Desktop 9
                                Novell Linux POS 9
                                Open Enterprise Server
                                SLE SDK 10
                                SUSE LINUX 10.1
                                SUSE LINUX 10.0
                                SUSE LINUX 9.3
                                SUSE LINUX 9.2
                                SuSE Linux Desktop 1.0
                                SuSE Linux Enterprise Server 8
                                SuSE Linux Openexchange Server 4
                                SUSE LINUX Retail Solution 8
                                SuSE Linux School Server
                                SuSE Linux Standard Server 8
                                SUSE SLED 10
                                SUSE SLES 10
                                SUSE SLES 9
                                UnitedLinux 1.0
        Vulnerability Type:     remote denial of service
        Severity (1-10):        6
        SUSE Default Package:   yes
        Cross-References:       CVE-2006-4811

    Content of This Advisory:
        1) Security Vulnerability Resolved:
             remote denial of service in Qt image handling
           Problem Description
        2) Solution or Work-Around
        3) Special Instructions and Notes
        4) Package Location and Checksums
        5) Pending Vulnerabilities, Solutions, and Work-Arounds:
            See SUSE Security Summary Report.
        6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

   Multiple integer overflows have been found in image processing
   functions within the Qt class library, used for instance by the web
   browser "konqueror" and its rendering engine "khtml".

   These problems could potentially lead to heap overflows and code
   execution or just a browser crash (denial of service).

   This problem has the Mitre CVE ID CVE-2006-4811.

2) Solution or Work-Around

   There is no known workaround, please install the update packages.

3) Special Instructions and Notes

   Please close and restart all running instances of konqueror after the update.

4) Package Location and Checksums

   The preferred method for installing security updates is to use the YaST
   Online Update (YOU) tool. YOU detects which updates are required and
   automatically performs the necessary steps to verify and install them.
   Alternatively, download the update packages for your distribution manually
   and verify their integrity by the methods listed in Section 6 of this
   announcement. Then install the packages using the command

     rpm -Fhv 

   to apply the update, replacing  with the filename of the
   downloaded RPM package.


   x86 Platform:

   SUSE LINUX 10.1:
             e12c52bc945edd9e628d6df1e13de2d6
             abe3bbbee7a4b4af9cb58bda71936c00
             1937b5e2a6c8757cccca93ffb1408d5e

   SUSE LINUX 10.0:
             05c82cfb84d3b54d886892a4dc63e1ec
             6f63526c70fe7d73080dc2de5fa11fe3
             18d16343cf35a8bb0330bb762bbf808e

   SUSE LINUX 9.3:
             e169e5ee6b884b7998fa518defb6f20f
             014dbf4e04cd37441bf1cba412c84fef

   SUSE LINUX 9.2:
             efe3a67ba78ae5b23310798d00ee14db
             249c9c5e985b87d2f0bd2601e2c6eed6

   Power PC Platform:

   SUSE LINUX 10.1:
             9c3c01f4943dfeede555f79365d1d95d
             91dd8f28532d3367e5d6f8884df28530
             ae42fa85b6e38ba036bdbe8e77f557dd

   SUSE LINUX 10.0:
             ab54cd200e6b1486b156f2cf70156314
             833fdad7ce3b3e9bffaa3e4a65910195
             c42c042e858cc6cc435d977ae5a4c065

   x86-64 Platform:

   SUSE LINUX 10.1:
             711209a60be530a8562e54816e609a33
             7ba57673efe68da9bf0004f842315ada
             24cb3dcbb9c92943017f0e5ea401ada8
             ea46d71c833c20f18085496eace559f7
             44c17f12db82e58bbf4b457eb6b66df6

   SUSE LINUX 10.0:
             6c1ec2a6f0a109e749f7b534408b3b66
             aa0bbb971bb63d4e18a7f0e4464aa0c2
             3b3936a24b424bc7d516095a2e431d70
             0fc0adb3a0bbb3aa49b6e6985f42565f

   SUSE LINUX 9.3:
             46597f7dfa33b4420c6f09c93e89aa78
             36b4efe799155111618a9cd325f20bc6
             c237b330e43606562a4b918077257559

   SUSE LINUX 9.2:
             912f789b47bfe446185bccd0455f9455
             f87ba1142036ff3f31d7566a99d9e74a
             4abfb7a5ba2254595b04896ee34695b6

   Sources:

   SUSE LINUX 10.1:
             6330e726a2200327e311fd04ca1826f1
             57ed729399ac1296be632b7dbd3be636
             03fd50682d7fc2bbc598bdcd09f87006

   SUSE LINUX 10.0:
             be60f21b5cec25fdb0ad3ba7726a6704
             cd76c0551e1c66be5f1949621f3e88b4
             d0479a8b6ac835b72faaa233647c3501

   SUSE LINUX 9.3:
             25b4693967b6078f809ec457ac126cf2
             6d2c6d1bf4ed434cfc1438e8c49b2a06

   SUSE LINUX 9.2:
             5c828039b8775b31a61fcc550bb74020
             15bdf0fac96eabc026079fd95ee24ede

   Our maintenance customers are notified individually. The packages are
   offered for installation from the maintenance web:

   SUSE SLED 10
     http://support.novell.com/techcenter/psdb/f8c39f5569987d0d73366502b34c3a3c.html

   SUSE SLES 10
     http://support.novell.com/techcenter/psdb/f8c39f5569987d0d73366502b34c3a3c.html
     http://support.novell.com/techcenter/psdb/115cf76bac71f3f0e647b820d43ea9ed.html

   SLE SDK 10
     http://support.novell.com/techcenter/psdb/f8c39f5569987d0d73366502b34c3a3c.html
     http://support.novell.com/techcenter/psdb/115cf76bac71f3f0e647b820d43ea9ed.html

   Open Enterprise Server
     http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.html

   Novell Linux POS 9
     http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.html

   Novell Linux Desktop 9
     http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.html

   SUSE SLES 9
     http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.html

   UnitedLinux 1.0
     http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html

   SuSE Linux Openexchange Server 4
     http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html

   SuSE Linux Enterprise Server 8
     http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html

   SuSE Linux Standard Server 8
     http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html

   SuSE Linux School Server
     http://support.novell.com/techcenter/psdb/115cf76bac71f3f0e647b820d43ea9ed.html
     http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html

   SUSE LINUX Retail Solution 8
     http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html

   SuSE Linux Desktop 1.0
     http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

   See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

  - Announcement authenticity verification:

    SUSE security announcements are published via mailing lists and on Web
    sites. The authenticity and integrity of a SUSE security announcement is
    guaranteed by a cryptographic signature in each announcement. All SUSE
    security announcements are published with a valid signature.

    To verify the signature of the announcement, save it as text into a file
    and run the command

      gpg --verify 

    replacing  with the name of the file where you saved the
    announcement. The output for a valid signature looks like:

      gpg: Signature made  using RSA key ID 3D25D3D9
      gpg: Good signature from "SuSE Security Team "

    where  is replaced by the date the document was signed.

    If the security team's key is not contained in your key ring, you can
    import it from the first installation CD. To import the key, use the
    command

      gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

  - Package authenticity verification:

    SUSE update packages are available on many mirror FTP servers all over the
    world. While this service is considered valuable and important to the free
    and open source software community, the authenticity and the integrity of
    a package needs to be verified to ensure that it has not been tampered
    with.

    There are two verification methods that can be used independently from
    each other to prove the authenticity of a downloaded file or RPM package:

    1) Using the internal gpg signatures of the rpm package
    2) MD5 checksums as provided in this announcement

    1) The internal rpm package signatures provide an easy way to verify the
       authenticity of an RPM package. Use the command

        rpm -v --checksig 

       to verify the signature of the package, replacing  with the
       filename of the RPM package downloaded. The package is unmodified if it
       contains a valid signature from build@suse.de with the key ID 9C800ACA.

       This key is automatically imported into the RPM database (on
       RPMv4-based distributions) and the gpg key ring of 'root' during
       installation. You can also find it on the first installation CD and at
       the end of this announcement.

    2) If you need an alternative means of verification, use the md5sum
       command to verify the authenticity of the packages. Execute the command

         md5sum 

       after you downloaded the file from a SUSE FTP server or its mirrors.
       Then compare the resulting md5sum with the one that is listed in the
       SUSE security announcement. Because the announcement containing the
       checksums is cryptographically signed (by security@suse.de), the
       checksums show proof of the authenticity of the package if the
       signature of the announcement is valid. Note that the md5 sums
       published in the SUSE Security Announcements are valid for the
       respective packages only. Newer versions of these packages cannot be
       verified.

  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   General Linux and SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    suse-security-announce@suse.com
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    For general information or the frequently asked questions (FAQ),
    send mail to  or
    .

    ====================================================================    SUSE's security contact is  or .
    The  public key is listed below.
    ====================================================================