KDE Security Advisory: kjs encodeuri/decodeuri heap overflow vulnerability Original Release Date: 2006-01-19 URL: http://www.kde.org/info/security/advisory-20060119-1.txt 0. References CVE-2006-0019 1. Systems affected: KDE 3.2.0 up to including KDE 3.5.0 2. Overview: Maksim Orlovich discovered an incorrect bounds check in kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE, that allows a heap based buffer overflow when decoding specially crafted UTF-8 encoded URI sequences. 3. Impact: Remotely supplied Javascript code can perform a heap overflow and crash the web browser or execute arbitrary code. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patch for KDE 3.4.0 - 3.5.0 is available from ftp://ftp.kde.org/pub/kde/security_patches : ecc0ec13ce3b06e94e35aa8e937e02bf post-3.4.3-kdelibs-kjs.diff Patch for KDE 3.2.0 - 3.3.2 is available from ftp://ftp.kde.org/pub/kde/security_patches : 9bca9b44ca2d84e3b2f85ffb5d30e047 post-3.2.3-kdelibs-kjs.diff
Attachment:
pgpfTn6i3nhOx.pgp
Description: PGP signature