Date: Tue, 12 Oct 1999 11:58:49 -0400 (EDT) From: Duncan Haldane <duncan@kde.org> Subject: Correction to your 10/07/99 security bug report for kvt To: lwn@lwn.net Hi I manage the packaging of KDE at ftp.kde.org for the "rh5x" series of KDE rpm packages for Red Hat 5.x systems (in which KDE is not officially supported by Red Hat, they only support KDE on RH6.x) In your 10/09/99 Security section you reported on a kvt buffer oveflow vulnerability, and further noted that kvt was dropped from KDE. These reports are inaccurate, for the current KDE-1.1.2 stable release. (1) kvt (v1.1.1.1) IS included in the official KDE 1.1.2 release. It is planned to drop it in future KDE-2.x releases, though. It is in our "rh5x" rpms for RedHat 5.1/5.2 (kdebase-1.1.2-1rh5x.i386.rpm, as provided in ftp://ftp.kde.org/pub/kde/stable/1.1.2/distribution/rpm/RedHat/RedHat-5.2/i386/ ). I also verified that it IS included in the "Official-RH-6.x" rpms from Red Hat for Red Hat 6.0/6.1 (kdebase-1.1.2-11.i386.rpm, as provided in ftp://ftp.kde.org/pub/kde/stable/1.1.2/distribution/rpm/RedHat/Official-RH-6.x/i386/ ). (2) kvt had a number of security fixes between the KDE-1.1.1 and KDE-1.1.2 releases. The bug mentioned on Bugtraq is in the kvt-0.18.7 version release with KDE-1.1.1, but is fixed in the kvt-1.1.1.1 version release with KDE-1.1.2. I have checked this, and had it confirmed by at least one of the people discussing this bug at bugtraq (<pioppo@ferrara.linux.it>) So, people using kvt (v1.1.1.1) from KDE-1.1.2 do not have to worry about this reported kvt vulnerability. It is present in kvt-0.18.7 in the original KDE-1.1.1 release, but was fixed in subsequent security updates to that release, if the various distributions provided these updates. Summary: Correction to LWN security report of a buffer overflow in kvt (LWN 10/09/99): kvt is in fact included in the KDE-1.1.2 release, but the reported buffer overflow was fixed in the kvt v.1.1.1.1 included in that release. If you are using kvt-0.18.7, or earlier, from a previous release, you should either: (a) remove that kvt, (b) apply a security update appropriate for your distribution, or (c) upgrade to KDE-1.1.2. Sincerely Duncan Haldane <duncan@kde.org> (KDE Packager Team) ---------------------------------- E-Mail: Duncan Haldane <f.d.m.haldane@mciworld.com> Date: 12-Oct-99 Time: 10:58:05 This message was sent by XFMail ----------------------------------