Support / Security / Advisories / Mandriva Linux 2007.1 / MDKSA-2007:157

Package name: kdelibs
Date: 2007-08-10
Advisory ID: MDKSA-2007:157
Affected versions: 2007.1 i586 , 2007.1 x86_64

Problem description

The KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not
properly parse HTML comments, which allows remote attackers to conduct
cross-site scripting (XSS) attacks and bypass some XSS protection
schemes by embedding certain HTML tags within a comment in a title
tag, a related issue to CVE-2007-0478. Also affects kdelibs 3.5.6,
as per KDE official advisory.

Updated packages have been patched to prevent this.

Updated packages

2007.1 i586

 290249d063eb99aa0267060e28bd3d63  2007.1/i586/kdelibs-common-3.5.6-11.1mdv2007.1.i586.rpm
 0392bf166e2b95b8274f67e24066dc8a  2007.1/i586/kdelibs-devel-doc-3.5.6-11.1mdv2007.1.i586.rpm
 06107eb81ff8b184812f7a8ae31b52b9  2007.1/i586/libkdecore4-3.5.6-11.1mdv2007.1.i586.rpm
 ffb71260989867bcec7d7fae45b86b5a  2007.1/i586/libkdecore4-devel-3.5.6-11.1mdv2007.1.i586.rpm 
 2f2938b43f88a2a197e6cc90b35c63b8  2007.1/SRPMS/kdelibs-3.5.6-11.1mdv2007.1.src.rpm

2007.1 x86_64

 258cf38cce814a12a44c79c283de7c3d  2007.1/x86_64/kdelibs-common-3.5.6-11.1mdv2007.1.x86_64.rpm
 70b9d63ac375ba65fb6c6b526dfe80f0  2007.1/x86_64/kdelibs-devel-doc-3.5.6-11.1mdv2007.1.x86_64.rpm
 ee0681c70efd4cebb72a23b773d56f09  2007.1/x86_64/lib64kdecore4-3.5.6-11.1mdv2007.1.x86_64.rpm
 664da181e64ab3f343b265cac6de0e87  2007.1/x86_64/lib64kdecore4-devel-3.5.6-11.1mdv2007.1.x86_64.rpm 
 2f2938b43f88a2a197e6cc90b35c63b8  2007.1/SRPMS/kdelibs-3.5.6-11.1mdv2007.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537