Linux vendors have warned of a serious security flaw affecting the KDE desktop environment, one of the two main graphical user interfaces used on Linux and Unix operating systems.

The bug, the worst to hit KDE in nearly a year, affects kjs, a Javascript interpreter used by the Konqueror Web browser and other parts of KDE, KDE developers said in an advisory. An incorrect bounds check in the interpreter allows a heap based buffer overflow when decoding maliciously crafted URI sequences encoded with UTF-8.

An attacker could supply Javascript code that will crash programs using kjs, such as Konqueror, and execute malicious code, potentially gaining complete control of the system, developers said. Versions 3.2.0 to 3.5.0 of kjs are affected.

Security vendor Secunia, which maintains a vulnerabilities database, said the flaw was "highly critical".

KDE released a source code patch at the end of last week, and Linux vendors have followed on with binary patches. Fixes are available directly from Ubuntu, Red Hat, Debian, Suse, Red Hat's Fedora project, Gentoo and others.

Last April, KDE patched a serious imaging-related flaw in the handling of PCX images, which affected Konqueror and other KDE imaging applications. A month later, however, the project had to release a second patch for the same problem, saying that the original patch still allowed some attacks.

KDE is one of the two main desktop environments for Linux and Unix, along with Gnome.