[Fedora] Mehrere Schwachstellen KVIrc – FEDORA-2010-10529

[Fedora] Mehrere Schwachstellen KVIrc - FEDORA-2010-10529

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2010-2452 – Format String Schwachstelle in KVIrc

Der IRC-Client KVIrc enthaelt eine bisher nicht naeher beschriebene
Format String Schwachstelle im Direct Client-to-Client Protokoll.
Ein entfernter Angreifer kann ueber entsprechende Format-Strings
beliebige Befehle mit den Rechten der Anwendung ausfuehren.

CVE-2010-2451 – Directory Traversal Schwachstelle in KVIrc

Der IRC-Client KVIrc enthaelt eine bisher nicht naeher beschriebene
Directory Traversal Schwachstelle im Direct Client-to-Client
Protokoll. Ein entfernter Angreifer kann beliebige Dateien mit den
Rechten des Programms ueberschreiben.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket kvirc

Fedora 12
Fedora 13

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT

– —
Dipl. Inform. Klaus Moeller (Project Development Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de/, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

– ——————————————————————————–
Fedora Update Notification
FEDORA-2010-10529
2010-06-29 15:12:07
– ——————————————————————————–

Name : kvirc
Product : Fedora 12
Version : 4.0.0
Release : 1.fc12
URL : http://kvirc.net/
Summary : Free portable IRC client
Description :
KVIrc is a free portable IRC client based on the excellent
Qt GUI toolkit. KVirc is being written by Szymon Stefanek
and the KVIrc Development Team with the contribution of
many IRC addicted developers around the world.

– ——————————————————————————–
Update Information:

KVIrc 4.0.0 Notable new features of this release include: – Definitive and
stable port to the Qt4 libraries – Better support for server tecnologies: CAPS,
STARTTLS, SASL, irc services… – A new UPnP module to control and remotely map
your router ports for DCC – A totally rewritten MDI subsystem, with the look
and feel of your OS – A nice graphical addon packager – A visual class editor
for object oriented scripting – A rewritten iograph module to check your
bandwidth usage – Support for animated avatars – Ability to get other user’s
avatars/information without the need to CTCP the whole channel – Support for
DBus inter-process communication – Support for the MPRIS media player control
and info reporting – Support for Phonon direct media playback – A lot of new
options to better customize your client – A lot of new KVS commands and
functions for your scripting needs More details here:
http://www.kvirc.net/?id=news&story=2010.06.27.22.30.1.story&dir=latest
– ——————————————————————————–
ChangeLog:

* Mon Jun 28 2010 Alexey Kurov – 4.0.0-1
– – KVIrc 4.0
* Sun Apr 18 2010 Alexey Kurov – 4.0.0-0.27.rc3
– – fix in help borwser (r4258)
* Sat Apr 17 2010 Alexey Kurov – 4.0.0-0.26.rc3
– – update to 4.0 rc3
* Fri Feb 26 2010 Alexey Kurov – 4.0.0-0.25.20100226svn4030
– – svn snapshot 4030
– – added -DCMAKE_SKIP_RPATH=ON to fix F13+ rpath issue
* Sun Feb 21 2010 Alexey Kurov – 4.0.0-0.24.20100221svn4000
– – svn 4000 (SASL support implemented)
* Fri Feb 12 2010 Alexey Kurov – 4.0.0-0.23.20100212svn3956
– – svn 3956 (should fix irc7 Excess Flood issue)
* Tue Dec 29 2009 Alexey Kurov – 4.0.0-0.21.rc2
– – fix log files date format from svn 3762
* Sat Dec 19 2009 Alexey Kurov – 4.0.0-0.20.rc2
– – KVIrc 4.0 release candidate 2
– – added BR cryptopp-devel and -DWANT_NO_EMBEDDED_CODE=ON
– – re-enabled pyhton module -DWITHOUT_PYTHON=OFF
– – added BR python-devel
– ——————————————————————————–
References:

[ 1 ] Bug #609143 – CVE-2010-2451 CVE-2010-2452 KVIrc: Directory traversal and arbitrary code execution via specially-crafted DCC protocol messages
https://bugzilla.redhat.com/show_bug.cgi?id=609143
– ——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update kvirc’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
– ——————————————————————————–

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkwsq7cACgkQWmhIvjFb90Ua7wCeI+BD8oRvdauGIZJRGTa5luaC
9cgAoJSXhr9AbqoMN+2rQWkMDUMFyqOb
=Bj3Y
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben