162460 2007-01-17 01:18 0000 app-office/(kword|koffice), kde-base/kpdf, app-text/(xpdf|poppler): CVE-2007-0104 xpdf code vulnerability 2007-04-13 19:04:20 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://kde.org/info/security/advisory-20070115-1.txt B3 [noglsa] Falco P2 normal --- 166246 134924 1 flameeyes@gentoo.org security@gentoo.org kde@gentoo.org mips@gentoo.org printing@gentoo.org flameeyes@gentoo.org 2007-01-17 01:18:53 0000 KDE Security Advisory: kpdf/kword/xpdf denial of service vulnerability Original Release Date: 2007-01-15 URL: http://www.kde.org/info/security/advisory-20070115-1.txt 0. References CVE-2007-0104 1. Systems affected: KDE 3.2.0 up to including KDE 3.5.5. KDE 3.5.6 and newer is not affected. KOffice 1.2 and newer contain the same code. 2. Overview: kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a vulnerability that can cause denial of service (infinite loop) via a PDF file that contains a crafted catalog dictionary or a crafted Pages attribute that references an invalid page tree node. 3. Impact: Remotely supplied pdf files can be used to disrupt the kpdf viewer on the client machine. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patch for KOffice 1.2.1 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : dc28881c39f11c040f8c942e4af238d1 koffce-xpdf-CVE-2007-0104.diff Patch for KDE 3.3.2 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : a690ce46117257609c2b43485ea4d0d7 post-3.5.5-kdegraphics-CVE-2007-0104.diff Patch for KDE 3.2.3 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : c2d4c2aa3aa990e2dba00f782a140a1b post-3.2.3-kdegraphics-CVE-2007-0104.diff Note: our kpdf/kdegraphics is *not* vulnerable, as we use Kubuntu's Poppler patch. And it's fixed in kword-1.5.2-r1, kword-1.6.1-r1, koffice-1.5.2-r2 and koffice-1.6.1-r1. dercorny@gentoo.org 2007-01-17 08:44:37 0000 client DoS, i tend to say we dont care falco@gentoo.org 2007-01-22 11:21:53 0000 Most advisories (Securityfocus[1], CVE[2], x-force[3], original advisory[4]) mention the possible execution of arbitrary code (buffer overflows, ...). And xpdf seems affected too. Ccing printing. [1] http://xforce.iss.net/xforce/xfdb/31364 [2] http://xforce.iss.net/xforce/xfdb/31364 [3] http://xforce.iss.net/xforce/xfdb/31364 [4] http://projects.info-pull.com/moab/MOAB-06-01-2007.html falco@gentoo.org 2007-02-10 19:24:34 0000 ping printing flameeyes@gentoo.org 2007-02-10 19:50:33 0000 If you want, kdegraphics and kpdf can be handled by stabling the latest releases for 3.5.5: they both are patched to fix this issue, as they don't use poppler anymore. falco@gentoo.org 2007-02-10 20:04:24 0000 kpdf in KDE before 3.5.5 is also affected falco@gentoo.org 2007-02-10 20:15:33 0000 (In reply to comment #5) > kpdf in KDE before 3.5.5 is also affected > Our kpdf-3.5.5 uses the vulnerable poppler. Since we have no response from printing team about a poppler upgrade, we have to fix our KDE ports. Arches, please test and mark stable if appropriate, thanks. kpdf-3.5.5-r1 kword-1.5.2-r1 koffice-1.5.2-r2 flameeyes@gentoo.org 2007-02-10 20:16:46 0000 And kdegraphics-3.5.5-r2. genstef@gentoo.org 2007-02-10 20:32:32 0000 poppler patch committed, sorry for being late and feel free to patch such things when I am irregularly looking at my mail. falco@gentoo.org 2007-02-10 21:06:27 0000 (In reply to comment #8) > poppler patch committed, sorry for being late and feel free to patch such > things when I am irregularly looking at my mail. > Good, thanks. Arches, please also test and stabilize poppler-0.5.4-r1 . KDE stabilizations are not a priority: if a KDE stabilization fails, the poppler stabilization will be sufficient from the security point of view. ARM, HPPA, MIPS and S390, you're only concerned by poppler, not by KDE. A fixed xpdf is still missing but i bet it's only a question of time. falco@gentoo.org 2007-02-10 21:31:46 0000 xpdf won't need to be changed since it calls poppler. fauli@gentoo.org 2007-02-11 00:19:12 0000 (In reply to comment #6) > Arches, please test and mark stable if appropriate, thanks. > koffice-1.5.2-r2 We have bug 166246 which requests stabilisation for KOffice 1.6.* series. fauli@gentoo.org 2007-02-11 09:41:43 0000 poppler and kpdf stable on x86, adding koffice 1.6.1-r1 stabilisation bug as dependency falco@gentoo.org 2007-02-11 11:09:32 0000 (In reply to comment #11) > > We have bug 166246 which requests stabilisation for KOffice 1.6.* series. > Thanks, I hope that fix the pdf vulnerability, in such case stabilizing koffice-1.6 is sufficient for koffice fauli@gentoo.org 2007-02-11 22:00:12 0000 KOffice monolithic and meta stable, kdegraphics stable, so removing x86 jer@gentoo.org 2007-02-12 04:15:38 0000 app-text/poppler, app-office/koffice and kde-base/kdegraphics stable for HPPA. gustavoz@gentoo.org 2007-02-12 14:08:10 0000 sparc stable: poppler-0.5.4-r1, kpdf-3.5.5-r1, kdegraphics-3.5.5-r2, kword-1.5.2-r1, koffice-1.5.2-r2. Gotta check some issues with koffice-1.6.1 before it can go stable. cryos@gentoo.org 2007-02-13 01:03:49 0000 koffice-1.6.1 and friends are all stable on amd64, as are kpdf, kdegraphics and poppler as specified in the previous comments. Removing amd64. corsair@gentoo.org 2007-02-13 10:00:04 0000 these are stable on ppc64 now: app-text/poppler-0.5.4-r1 kde-base/kpdf-3.5.5-r1 kde-base/kdegraphics-3.5.5-r2 dev-lang/swig-1.3.31 media-libs/lcms-1.15 app-office/koffice-1.6.1-r1 app-office/koffice-data-1.6.1 app-office/koffice-libs-1.6.1 app-office/kexi-1.6.1 app-office/kchart-1.6.1 app-office/kplato-1.6.1 app-office/kivio-1.6.1 app-office/kformula-1.6.1 app-office/kugar-1.6.1 app-office/krita-1.6.1 app-office/kpresenter-1.6.1 app-office/karbon-1.6.1 app-office/kspread-1.6.1 app-office/kword-1.6.1-r1 app-office/koshell-1.6.1 app-office/koffice-meta-1.6.1 kloeri@gentoo.org 2007-02-14 12:21:37 0000 IA64 done. dertobi123@gentoo.org 2007-02-14 19:06:44 0000 ppc stable kloeri@gentoo.org 2007-02-15 11:03:37 0000 Alpha done. falco@gentoo.org 2007-03-09 22:20:32 0000 oops, late. GLSA or no? CVE says "unknown impact" -> i tend to vote "no" py@gentoo.org 2007-03-12 09:46:49 0000 if execution of arbitrary code is confirmed, i tend to vote yes. falco@gentoo.org 2007-03-13 23:04:47 0000 (In reply to comment #23) > if execution of arbitrary code is confirmed, i tend to vote yes. > AFAICT it's not Security please comment jaervosz@gentoo.org 2007-03-14 07:48:52 0000 I tend to vote NO GLSA. At least the KDE advisory says infinite loop only. falco@gentoo.org 2007-03-15 21:27:00 0000 closing then, feel free to reopen if you disagree