Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KDE Security Advisory: kpdf integer overflows Original Release Date: 2004-10-21 URL: http://www.kde.org/info/security/advisory-20041021-1.txt 0. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0889 CESA-2004-002 - rev 1 CESA-2004-007 - rev 1 1. Systems affected: All KDE 3.2.x releases, KDE 3.3.0 and KDE 3.3.1. 2. Overview: Chris Evans notified the KDE security team about multiple integer overflow and integer arithmetic flaws in xpdf 3.0. These flaws, if exploited, can cause xpdf (and therefore kpdf) to hang using 100% CPU, crash the viewer or corrupt the program heap. It might be possible to execute arbitrary code. The Common Vulnerabilities and Exposures project assigned CAN-2004-0889 to this issue. kpdf, the KDE pdf viewer, shares code with xpdf 2.02. This code is significantly different from the xpdf 3.0 codebase, but is also affected by similiar issues. Sebastian Krahmer from the SUSE security team developed a patch that corrects integer overflows in the XRef code. This patch is made available below for kpdf as shipped in the KDE 3.2.x releases. The Common Vulnerabilities and Exposures project assigned CAN-2004-0888 to this issue. KDE 3.3.1 contains a kpdf based on xpdf 3.0. We're providing a patch to fix the remaining integer overflows in this code base. 3. Impact: Remotely supplied pdf files can be used to execute arbitrary code on the client machine. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patch for KDE 3.2.3 is available from ftp://ftp.kde.org/pub/kde/security_patches : 4f854adb507f4d04e997702e44ffc2ea post-3.2.3-kdegraphics.diff Patch for KDE 3.3.1 is available from ftp://ftp.kde.org/pub/kde/security_patches : 651fba579516ea947fbefee373f40a6c post-3.3.1-kdegraphics.diff 6. Time line and credits: 01/09/2004 KDE Security Team alerted by Chris Evans 08/09/2004 Chris Evans finds similiar issues in the xpdf 2.02 codebase which is used by all released kpdf versions. 24/09/2004 Patch to fix the found issues in xpdf 2.02 developed by Sebastian Krahmer of SUSE security. 12/10/2004 KDE 3.3.1 release upgrading kpdf to xpdf 3.0 codebase 21/10/2004 Public disclosure -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBeNjuvsXr+iuy1UoRAgXEAKCyqD9e6Il8jViYG8//uFHb/JU/fwCgh7LA dz8kOMiHCZ0acisGJwLJSwc= =zbH6 -----END PGP SIGNATURE-----
kde, pls verify and update ebuild
I've tested both the patches with the splitted up kpdf ebuilds (to speedup compilation) and they compiles and works well. kpdf-3.3.0 using patch post-3.2.3-kdegraphics.diff kpdf-3.3.1 using patch post-3.3.1-kdegraphics.diff
KDE team, since 3.3.0 is the latest stable ebuild and 3.3.1 the newest version, those should be patched. Additionally a patched stable version for alpha is needed too, which would probably mean to patch 3.2.3 and get it stable on alpha.
<<< kdegraphics-3.3.1-r1.ebuild <<< kdegraphics-3.2.3-r1.ebuild <<< kdegraphics-3.3.0-r1.ebuild arch herds, please keyword I couldn't test 3.2.3, but I thought it's better to let someone with KDE 3.2.x (and a faster box) find out if it breaks.
Stable on alpha.
BTW, why does kdegraphics depend on xpdf if kpdf comes with it already?
You're right, I'm quite sure that there's no need for it. I didn't noticed it before.
Stable on sparc.
stable on ppc
SeJo: current CVS checkout shows : kdegraphics-3.2.3-r1.ebuild:KEYWORDS="x86 ~ppc sparc alpha ~hppa ~amd64 ~ia64" kdegraphics-3.3.0-r1.ebuild:KEYWORDS="x86 ~amd64 ~ppc64 sparc ~ppc ~hppa" kdegraphics-3.3.1-r1.ebuild:KEYWORDS="~x86 ~amd64 ~ppc64 ~sparc ~ppc ~hppa" So apprently ppc did not mark any unaffected ebuild stable. Given your stable profile you need to mark both 3.2.3-r1 and 3.3.0-r1 stable (as 3.2.3 and 3.3.0 are affected and ppc-stable).
i'm sorry i must have made a mistake, they are tested and marked stable.
stable on amd64!
GLSA 200410-30 hppa, ia64, ppc64: please mark stable to benefit from GLSA.
kdegraphics-3.3.0-r2.ebuild is already keyworded. Removing, thanks!
