KDE Security Advisory: kpdf/kword/xpdf denial of service vulnerability Original Release Date: 2007-01-15 URL: http://www.kde.org/info/security/advisory-20070115-1.txt 0. References CVE-2007-0104 1. Systems affected: KDE 3.2.0 up to including KDE 3.5.5. KDE 3.5.6 and newer is not affected. KOffice 1.2 and newer contain the same code. 2. Overview: kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a vulnerability that can cause denial of service (infinite loop) via a PDF file that contains a crafted catalog dictionary or a crafted Pages attribute that references an invalid page tree node. 3. Impact: Remotely supplied pdf files can be used to disrupt the kpdf viewer on the client machine. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patch for KOffice 1.2.1 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : dc28881c39f11c040f8c942e4af238d1 koffce-xpdf-CVE-2007-0104.diff Patch for KDE 3.3.2 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : a690ce46117257609c2b43485ea4d0d7 post-3.5.5-kdegraphics-CVE-2007-0104.diff Patch for KDE 3.2.3 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : c2d4c2aa3aa990e2dba00f782a140a1b post-3.2.3-kdegraphics-CVE-2007-0104.diff Note: our kpdf/kdegraphics is *not* vulnerable, as we use Kubuntu's Poppler patch. And it's fixed in kword-1.5.2-r1, kword-1.6.1-r1, koffice-1.5.2-r2 and koffice-1.6.1-r1.
client DoS, i tend to say we dont care
Most advisories (Securityfocus[1], CVE[2], x-force[3], original advisory[4]) mention the possible execution of arbitrary code (buffer overflows, ...). And xpdf seems affected too. Ccing printing. [1] http://xforce.iss.net/xforce/xfdb/31364 [2] http://xforce.iss.net/xforce/xfdb/31364 [3] http://xforce.iss.net/xforce/xfdb/31364 [4] http://projects.info-pull.com/moab/MOAB-06-01-2007.html
ping printing
If you want, kdegraphics and kpdf can be handled by stabling the latest releases for 3.5.5: they both are patched to fix this issue, as they don't use poppler anymore.
kpdf in KDE before 3.5.5 is also affected
(In reply to comment #5) > kpdf in KDE before 3.5.5 is also affected > Our kpdf-3.5.5 uses the vulnerable poppler. Since we have no response from printing team about a poppler upgrade, we have to fix our KDE ports. Arches, please test and mark stable if appropriate, thanks. kpdf-3.5.5-r1 kword-1.5.2-r1 koffice-1.5.2-r2
And kdegraphics-3.5.5-r2.
poppler patch committed, sorry for being late and feel free to patch such things when I am irregularly looking at my mail.
(In reply to comment #8) > poppler patch committed, sorry for being late and feel free to patch such > things when I am irregularly looking at my mail. > Good, thanks. Arches, please also test and stabilize poppler-0.5.4-r1 . KDE stabilizations are not a priority: if a KDE stabilization fails, the poppler stabilization will be sufficient from the security point of view. ARM, HPPA, MIPS and S390, you're only concerned by poppler, not by KDE. A fixed xpdf is still missing but i bet it's only a question of time.
xpdf won't need to be changed since it calls poppler.
(In reply to comment #6) > Arches, please test and mark stable if appropriate, thanks. > koffice-1.5.2-r2 We have bug 166246 which requests stabilisation for KOffice 1.6.* series.
poppler and kpdf stable on x86, adding koffice 1.6.1-r1 stabilisation bug as dependency
(In reply to comment #11) > > We have bug 166246 which requests stabilisation for KOffice 1.6.* series. > Thanks, I hope that fix the pdf vulnerability, in such case stabilizing koffice-1.6 is sufficient for koffice
KOffice monolithic and meta stable, kdegraphics stable, so removing x86
app-text/poppler, app-office/koffice and kde-base/kdegraphics stable for HPPA.
sparc stable: poppler-0.5.4-r1, kpdf-3.5.5-r1, kdegraphics-3.5.5-r2, kword-1.5.2-r1, koffice-1.5.2-r2. Gotta check some issues with koffice-1.6.1 before it can go stable.
koffice-1.6.1 and friends are all stable on amd64, as are kpdf, kdegraphics and poppler as specified in the previous comments. Removing amd64.
these are stable on ppc64 now: app-text/poppler-0.5.4-r1 kde-base/kpdf-3.5.5-r1 kde-base/kdegraphics-3.5.5-r2 dev-lang/swig-1.3.31 media-libs/lcms-1.15 app-office/koffice-1.6.1-r1 app-office/koffice-data-1.6.1 app-office/koffice-libs-1.6.1 app-office/kexi-1.6.1 app-office/kchart-1.6.1 app-office/kplato-1.6.1 app-office/kivio-1.6.1 app-office/kformula-1.6.1 app-office/kugar-1.6.1 app-office/krita-1.6.1 app-office/kpresenter-1.6.1 app-office/karbon-1.6.1 app-office/kspread-1.6.1 app-office/kword-1.6.1-r1 app-office/koshell-1.6.1 app-office/koffice-meta-1.6.1
IA64 done.
ppc stable
Alpha done.
oops, late. GLSA or no? CVE says "unknown impact" -> i tend to vote "no"
if execution of arbitrary code is confirmed, i tend to vote yes.
(In reply to comment #23) > if execution of arbitrary code is confirmed, i tend to vote yes. > AFAICT it's not Security please comment
I tend to vote NO GLSA. At least the KDE advisory says infinite loop only.
closing then, feel free to reopen if you disagree