This erratum provides updated KDE packages to resolve two security issues.
KDE is a graphical desktop environment for the X Window System. KDE fails in multiple places to properly quote URLs and file names before passing them to a command shell. This could allow remote attackers to execute arbitrary commands via carefully crafted URLs, filenames, or email addresses. CAN-2002-1393. KDE versions up to and including KDE 3.1.1 have a vulnerability caused by -dSAFER not being used when previewing in Konquerer. An attacker can prepare a malicious PostScript or PDF file which provides the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. Red Hat Linux 9 provides KDE version 3.1 and is not vulnerable to the first issue (CAN-2002-1393). This erratum provides updated packages with a backported fix for the malicious PostScript and PDF issue. Red Hat Linux 7.3 and 8.0 currently provide KDE version 3.0.3 and are vulnerable to both of these issues. This erratum provides KDE 3.0.5a packages with patches to correct these issues. Red Hat Linux 7.2 shipped with KDE 2.2.2, and Red Hat Linux 7.1 shipped with KDE 2.1.1. The versions are vulnerable to both of the issues. This erratum provides packages which contain backported patches to correct the issues.