Vulnerable: <=kde-base/kdelibs-3.5.5-r8 and <=kde-base/kdelibs-3.5.6-r2 Fixed: =kde-base/kdelibs-3.5.5-r9 and =kde-base/kdelibs-3.5.6-r3 Patch: files/kdelibs-3.5.5-vulnerability-20070305.diff Excerpt from http://bindshell.net/advisories/konq355: Konqueror DoS Via JavaScript Read Of FTP Iframe Author: mark@bindshell.net Published: 4th March 2007 Summary Konqueror crashes if JavaScript code tries to read the source of a child iframe which is set to an FTP URL. Impact It is possible for malicious websites to crash Konqueror and possibly other applications with rely on KJS.
Security team wont usually handle client-DoS, reassigning to KDE...
Arch teams, please be so kind to stabilize with immediate effects =kde-base/kdelibs-3.5.5-r9. Thank you.
x86 stable
amd64: Compiled fine. Running it for 1 hour now. All apps still working fine. So please mark stable on amd64. Portage 2.1.2-r9 (default-linux/amd64/2007.0/no-multilib, gcc-4.1.1, glibc-2.5-r0, 2.6.20-gentoo x86_64) ================================================================= System uname: 2.6.20-gentoo x86_64 AMD Turion(tm) 64 Mobile Technology MT-28 Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 06 Mar 2007 03:20:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -msse3 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="http://gentoo.nedlinux.nl" LINGUAS="en nl" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage-overlay" SYNC="rsync://192.168.2.4/gentoo-portage" USE="X alsa amd64 apache2 bitmap-fonts bzip2 cli cracklib crypt cups cvs dvd dvdr exif fam flac gdbm gif gstreamer iconv imagemagick ipod isdnlog jpeg jpeg2k kde libg++ md5sum midi mmx mp3 mplayer ncurses nls nomotif nptl nptlonly ogg opengl oss pcre pdf perl png ppds pppd python qt readline reflection samba session spl sse sse2 ssl tcpd test tetex truetype-fonts type1-fonts unicode vorbis xine xml xml2 xorg zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en nl" USERLAND="GNU" VIDEO_CARDS="sis" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Just finished my testing as I saw your post Roeland. Thanks for testing, stable on amd64.
ppc64 stable
sparc stable.
Stable for HPPA.
alpha/ia64/ppc done
mips, ping! This is a security issue...
All done now.
