Bug 162460 - app-office/(kword|koffice), kde-base/kpdf, app-text/(xpdf|poppler): CVE-2007-0104 xpdf code vulnerability
|
Bug#:
162460
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: flameeyes@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://kde.org/info/security/advisory-20070115-1.txt
|
|
Summary: app-office/(kword|koffice), kde-base/kpdf, app-text/(xpdf|poppler): CVE-2007-0104 xpdf code vulnerability
|
|
Keywords:
|
|
Status Whiteboard: B3 [noglsa] Falco
|
|
Opened: 2007-01-17 01:18 0000
|
KDE Security Advisory: kpdf/kword/xpdf denial of service vulnerability
Original Release Date: 2007-01-15
URL: http://www.kde.org/info/security/advisory-20070115-1.txt
0. References
CVE-2007-0104
1. Systems affected:
KDE 3.2.0 up to including KDE 3.5.5. KDE 3.5.6 and newer is
not affected. KOffice 1.2 and newer contain the same code.
2. Overview:
kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains
a vulnerability that can cause denial of service (infinite loop)
via a PDF file that contains a crafted catalog dictionary
or a crafted Pages attribute that references an invalid page
tree node.
3. Impact:
Remotely supplied pdf files can be used to disrupt the kpdf
viewer on the client machine.
4. Solution:
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
5. Patch:
Patch for KOffice 1.2.1 and newer is available from
ftp://ftp.kde.org/pub/kde/security_patches :
dc28881c39f11c040f8c942e4af238d1 koffce-xpdf-CVE-2007-0104.diff
Patch for KDE 3.3.2 and newer is available from
ftp://ftp.kde.org/pub/kde/security_patches :
a690ce46117257609c2b43485ea4d0d7
post-3.5.5-kdegraphics-CVE-2007-0104.diff
Patch for KDE 3.2.3 and newer is available from
ftp://ftp.kde.org/pub/kde/security_patches :
c2d4c2aa3aa990e2dba00f782a140a1b
post-3.2.3-kdegraphics-CVE-2007-0104.diff
Note: our kpdf/kdegraphics is *not* vulnerable, as we use Kubuntu's Poppler
patch.
And it's fixed in kword-1.5.2-r1, kword-1.6.1-r1, koffice-1.5.2-r2 and
koffice-1.6.1-r1.
client DoS, i tend to say we dont care
If you want, kdegraphics and kpdf can be handled by stabling the latest
releases for 3.5.5: they both are patched to fix this issue, as they don't use
poppler anymore.
kpdf in KDE before 3.5.5 is also affected
(In reply to comment #5)
> kpdf in KDE before 3.5.5 is also affected
>
Our kpdf-3.5.5 uses the vulnerable poppler.
Since we have no response from printing team about a poppler upgrade, we have
to fix our KDE ports.
Arches, please test and mark stable if appropriate, thanks.
kpdf-3.5.5-r1
kword-1.5.2-r1
koffice-1.5.2-r2
And kdegraphics-3.5.5-r2.
poppler patch committed, sorry for being late and feel free to patch such
things when I am irregularly looking at my mail.
(In reply to comment #8)
> poppler patch committed, sorry for being late and feel free to patch such
> things when I am irregularly looking at my mail.
>
Good, thanks.
Arches, please also test and stabilize poppler-0.5.4-r1 . KDE stabilizations
are not a priority: if a KDE stabilization fails, the poppler stabilization
will be sufficient from the security point of view.
ARM, HPPA, MIPS and S390, you're only concerned by poppler, not by KDE.
A fixed xpdf is still missing but i bet it's only a question of time.
xpdf won't need to be changed since it calls poppler.
(In reply to comment #6)
> Arches, please test and mark stable if appropriate, thanks.
> koffice-1.5.2-r2
We have bug 166246 which requests stabilisation for KOffice 1.6.* series.
poppler and kpdf stable on x86, adding koffice 1.6.1-r1 stabilisation bug as
dependency
(In reply to comment #11)
>
> We have bug 166246 which requests stabilisation for KOffice 1.6.* series.
>
Thanks,
I hope that fix the pdf vulnerability, in such case stabilizing koffice-1.6 is
sufficient for koffice
KOffice monolithic and meta stable, kdegraphics stable, so removing x86
app-text/poppler, app-office/koffice and kde-base/kdegraphics stable for HPPA.
sparc stable: poppler-0.5.4-r1, kpdf-3.5.5-r1, kdegraphics-3.5.5-r2,
kword-1.5.2-r1, koffice-1.5.2-r2.
Gotta check some issues with koffice-1.6.1 before it can go stable.
koffice-1.6.1 and friends are all stable on amd64, as are kpdf, kdegraphics and
poppler as specified in the previous comments. Removing amd64.
these are stable on ppc64 now:
app-text/poppler-0.5.4-r1
kde-base/kpdf-3.5.5-r1
kde-base/kdegraphics-3.5.5-r2
dev-lang/swig-1.3.31
media-libs/lcms-1.15
app-office/koffice-1.6.1-r1
app-office/koffice-data-1.6.1
app-office/koffice-libs-1.6.1
app-office/kexi-1.6.1
app-office/kchart-1.6.1
app-office/kplato-1.6.1
app-office/kivio-1.6.1
app-office/kformula-1.6.1
app-office/kugar-1.6.1
app-office/krita-1.6.1
app-office/kpresenter-1.6.1
app-office/karbon-1.6.1
app-office/kspread-1.6.1
app-office/kword-1.6.1-r1
app-office/koshell-1.6.1
app-office/koffice-meta-1.6.1
oops, late. GLSA or no?
CVE says "unknown impact" -> i tend to vote "no"
if execution of arbitrary code is confirmed, i tend to vote yes.
(In reply to comment #23)
> if execution of arbitrary code is confirmed, i tend to vote yes.
>
AFAICT it's not
Security please comment
I tend to vote NO GLSA. At least the KDE advisory says infinite loop only.
closing then, feel free to reopen if you disagree
