Red Hat, Suse patch critical KDE security hole

Red Hat and Suse have released patches for a critical security hole in their Linux distributions that stem from a vulnerability in the KDE desktop environment.

KDE is a user interface package used with several versions of Unix and Linux. The KDE hole was discovered Thursday and rated critical by both Red Hat and the French Security Incident Response Team (FrSIRT).

It affects the JavaScript engine used in various parts of KDE, including its Konqueror Web browser. The flaw could allow a remote attacker to launch an overflow attack and run arbitrary code on the user's machine, FrSIRT said.

Users could disable JavaScript in Konqueror as a workaround, but some Web sites might not display properly and installing the patches is better, said Suse, which is part of Novell.

The problem affects version 4 of Red Hat Enterprise Linux AS, ES, and WS, and also version 4 of Red Hat Desktop. Red Hat released patches for those products late last week on the Red Hat Network, it said.

The versions of Suse Linux affected are 10.0, 9.3, 9.2 and 9.1, according to a Suse advisory at http://www.novell.com/linux/security/advisories/2006_03_kdelibs3.html/

KDE also released patches for the hole, and an advisory at http://kde.org/info/security/advisory-20060119-1.txt. The flaw affects KDE 3.2.0 up to and including KDE 3.5.0, it said.

The newest version of KDE released in November, KDE 3.5, is apparently not affected. Also not affected are Red Hat Enterprise Linux 3 or 2.1, Red Hat said.

The FrSIRT advisory is at http://www.frsirt.com/english/advisories/2006/0279