Security update for kdebase4-runtime, kdelibs4, konversation, kwebkitpart, libqt4 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0573-1 Final 1 1 2015-03-12T18:33:40Z current 2015-03-12T18:33:40Z 2015-03-12T18:33:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for kdebase4-runtime, kdelibs4, konversation, kwebkitpart, libqt4 KDE and QT were updated to fix security issues and bugs. The following vulerabilities were fixed: * CVE-2014-0190: Malformed GIF files could have crashed QT based applications * CVE-2015-0295: Malformed BMP files could have crashed QT based applications * CVE-2014-8600: Multiple cross-site scripting (XSS) vulnerabilities in the KDE runtime could have allowed remote attackers to insert arbitrary web script or HTML via crafted URIs using one of several supported URL schemes * CVE-2014-8483: A missing size check in the Blowfish ECB could have lead to a crash of Konversation or 11 byte information leak * CVE-2014-3494: The KMail POP3 kioslave accepted invalid certifiates and allowed a man-in-the-middle (MITM) attack Additionally, Konversation was updated to 1.5.1 to fix bugs. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html E-Mail link for openSUSE-SU-2015:0573-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings kdebase4-runtime-4.11.5-482.6 kdebase4-runtime-branding-upstream-4.11.5-482.6 kdebase4-runtime-devel-4.11.5-482.6 kdelibs4-4.11.5-488.2 kdelibs4-apidocs-4.11.5-488.3 kdelibs4-branding-upstream-4.11.5-488.2 kdelibs4-core-4.11.5-488.2 kdelibs4-doc-4.11.5-488.2 konversation-1.5.1-3.4.3 konversation-lang-1.5.1-3.4.3 kwebkitpart-1.3.3-2.4.1 kwebkitpart-lang-1.3.3-2.4.1 libkde4-4.11.5-488.2 libkde4-32bit-4.11.5-488.2 libkde4-devel-4.11.5-488.2 libkdecore4-4.11.5-488.2 libkdecore4-32bit-4.11.5-488.2 libkdecore4-devel-4.11.5-488.2 libksuseinstall-devel-4.11.5-488.2 libksuseinstall1-4.11.5-488.2 libksuseinstall1-32bit-4.11.5-488.2 libqt4-4.8.5-5.17.1 libqt4-32bit-4.8.5-5.17.1 libqt4-devel-4.8.5-5.17.1 libqt4-devel-doc-4.8.5-5.17.2 libqt4-devel-doc-data-4.8.5-5.17.2 libqt4-linguist-4.8.5-5.17.1 libqt4-private-headers-devel-4.8.5-5.17.1 libqt4-qt3support-4.8.5-5.17.1 libqt4-qt3support-32bit-4.8.5-5.17.1 libqt4-sql-4.8.5-5.17.1 libqt4-sql-32bit-4.8.5-5.17.1 libqt4-sql-mysql-4.8.5-5.17.1 libqt4-sql-mysql-32bit-4.8.5-5.17.1 libqt4-sql-plugins-4.8.5-5.17.1 libqt4-sql-postgresql-4.8.5-5.17.1 libqt4-sql-postgresql-32bit-4.8.5-5.17.1 libqt4-sql-sqlite-4.8.5-5.17.1 libqt4-sql-sqlite-32bit-4.8.5-5.17.1 libqt4-sql-unixODBC-4.8.5-5.17.1 libqt4-sql-unixODBC-32bit-4.8.5-5.17.1 libqt4-x11-4.8.5-5.17.1 libqt4-x11-32bit-4.8.5-5.17.1 plasma-theme-oxygen-4.11.5-482.6 qt4-x11-tools-4.8.5-5.17.2 The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image. CVE-2014-0190 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html https://www.suse.com/security/cve/CVE-2014-0190.html CVE-2014-0190 https://bugzilla.suse.com/875470 SUSE Bug 875470 kio/usernotificationhandler.cpp in the POP3 kioslave in kdelibs 4.10.95 before 4.13.3 does not properly generate warning notifications, which allows man-in-the-middle attackers to obtain sensitive information via an invalid certificate. CVE-2014-3494 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html https://www.suse.com/security/cve/CVE-2014-3494.html CVE-2014-3494 https://bugzilla.suse.com/883374 SUSE Bug 883374 The blowfishECB function in core/cipher.cpp in Quassel IRC 0.10.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a malformed string. CVE-2014-8483 moderate 1.2 AV:L/AC:H/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html https://www.suse.com/security/cve/CVE-2014-8483.html CVE-2014-8483 https://bugzilla.suse.com/902670 SUSE Bug 902670 Multiple cross-site scripting (XSS) vulnerabilities in KDE-Runtime 4.14.3 and earlier, kwebkitpart 1.3.4 and earlier, and kio-extras 5.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via a crafted URI using the (1) zip, (2) trash, (3) tar, (4) thumbnail, (5) smtps, (6) smtp, (7) smb, (8) remote, (9) recentdocuments, (10) nntps, (11) nntp, (12) network, (13) mbox, (14) ldaps, (15) ldap, (16) fonts, (17) file, (18) desktop, (19) cgi, (20) bookmarks, or (21) ar scheme, which is not properly handled in an error message. CVE-2014-8600 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html https://www.suse.com/security/cve/CVE-2014-8600.html CVE-2014-8600 https://bugzilla.suse.com/905742 SUSE Bug 905742 The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file. CVE-2015-0295 low 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-03/msg00068.html https://www.suse.com/security/cve/CVE-2015-0295.html CVE-2015-0295 https://bugzilla.suse.com/921999 SUSE Bug 921999 https://bugzilla.suse.com/927806 SUSE Bug 927806 https://bugzilla.suse.com/927807 SUSE Bug 927807 https://bugzilla.suse.com/927808 SUSE Bug 927808 https://bugzilla.suse.com/936523 SUSE Bug 936523