-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: Qt
Announcement ID: SUSE-SA:2006:063
Date: Wed, 25 Oct 2006 16:00:00 +0000
Affected Products: Novell Linux Desktop 9
Novell Linux POS 9
Open Enterprise Server
SLE SDK 10
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SuSE Linux Desktop 1.0
SuSE Linux Enterprise Server 8
SuSE Linux Openexchange Server 4
SUSE LINUX Retail Solution 8
SuSE Linux School Server
SuSE Linux Standard Server 8
SUSE SLED 10
SUSE SLES 10
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote denial of service
Severity (1-10): 6
SUSE Default Package: yes
Cross-References: CVE-2006-4811
Content of This Advisory:
1) Security Vulnerability Resolved:
remote denial of service in Qt image handling
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Multiple integer overflows have been found in image processing
functions within the Qt class library, used for instance by the web
browser "konqueror" and its rendering engine "khtml".
These problems could potentially lead to heap overflows and code
execution or just a browser crash (denial of service).
This problem has the Mitre CVE ID CVE-2006-4811.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of konqueror after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
e12c52bc945edd9e628d6df1e13de2d6
abe3bbbee7a4b4af9cb58bda71936c00
1937b5e2a6c8757cccca93ffb1408d5e
SUSE LINUX 10.0:
05c82cfb84d3b54d886892a4dc63e1ec
6f63526c70fe7d73080dc2de5fa11fe3
18d16343cf35a8bb0330bb762bbf808e
SUSE LINUX 9.3:
e169e5ee6b884b7998fa518defb6f20f
014dbf4e04cd37441bf1cba412c84fef
SUSE LINUX 9.2:
efe3a67ba78ae5b23310798d00ee14db
249c9c5e985b87d2f0bd2601e2c6eed6
Power PC Platform:
SUSE LINUX 10.1:
9c3c01f4943dfeede555f79365d1d95d
91dd8f28532d3367e5d6f8884df28530
ae42fa85b6e38ba036bdbe8e77f557dd
SUSE LINUX 10.0:
ab54cd200e6b1486b156f2cf70156314
833fdad7ce3b3e9bffaa3e4a65910195
c42c042e858cc6cc435d977ae5a4c065
x86-64 Platform:
SUSE LINUX 10.1:
711209a60be530a8562e54816e609a33
7ba57673efe68da9bf0004f842315ada
24cb3dcbb9c92943017f0e5ea401ada8
ea46d71c833c20f18085496eace559f7
44c17f12db82e58bbf4b457eb6b66df6
SUSE LINUX 10.0:
6c1ec2a6f0a109e749f7b534408b3b66
aa0bbb971bb63d4e18a7f0e4464aa0c2
3b3936a24b424bc7d516095a2e431d70
0fc0adb3a0bbb3aa49b6e6985f42565f
SUSE LINUX 9.3:
46597f7dfa33b4420c6f09c93e89aa78
36b4efe799155111618a9cd325f20bc6
c237b330e43606562a4b918077257559
SUSE LINUX 9.2:
912f789b47bfe446185bccd0455f9455
f87ba1142036ff3f31d7566a99d9e74a
4abfb7a5ba2254595b04896ee34695b6
Sources:
SUSE LINUX 10.1:
6330e726a2200327e311fd04ca1826f1
57ed729399ac1296be632b7dbd3be636
03fd50682d7fc2bbc598bdcd09f87006
SUSE LINUX 10.0:
be60f21b5cec25fdb0ad3ba7726a6704
cd76c0551e1c66be5f1949621f3e88b4
d0479a8b6ac835b72faaa233647c3501
SUSE LINUX 9.3:
25b4693967b6078f809ec457ac126cf2
6d2c6d1bf4ed434cfc1438e8c49b2a06
SUSE LINUX 9.2:
5c828039b8775b31a61fcc550bb74020
15bdf0fac96eabc026079fd95ee24ede
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE SLED 10
http://support.novell.com/techcenter/psdb/f8c39f5569987d0d73366502b34c3a3c.html
SUSE SLES 10
http://support.novell.com/techcenter/psdb/f8c39f5569987d0d73366502b34c3a3c.html
http://support.novell.com/techcenter/psdb/115cf76bac71f3f0e647b820d43ea9ed.html
SLE SDK 10
http://support.novell.com/techcenter/psdb/f8c39f5569987d0d73366502b34c3a3c.html
http://support.novell.com/techcenter/psdb/115cf76bac71f3f0e647b820d43ea9ed.html
Open Enterprise Server
http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.html
Novell Linux POS 9
http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.html
Novell Linux Desktop 9
http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.html
SUSE SLES 9
http://support.novell.com/techcenter/psdb/595ed8e88dd0e76ba4d62c4bb475e623.html
UnitedLinux 1.0
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html
SuSE Linux Openexchange Server 4
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html
SuSE Linux Enterprise Server 8
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html
SuSE Linux Standard Server 8
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html
SuSE Linux School Server
http://support.novell.com/techcenter/psdb/115cf76bac71f3f0e647b820d43ea9ed.html
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html
SUSE LINUX Retail Solution 8
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html
SuSE Linux Desktop 1.0
http://support.novell.com/techcenter/psdb/658959fe28d2fe434c2f5b9153eca1db.html
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
For general information or the frequently asked questions (FAQ),
send mail to or
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================