Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 100263

Summary: kde-base/{kdegraphics|kpdf} DoS from XPDF issue
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: kde
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa] jaervosz
Package list:
Runtime testing required: ---
Description Flags
kpdf-3.4.1-r1.ebuild none

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-07-25 11:52:50 UTC
See bug #99769.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-27 06:42:13 UTC
This is fixed in 3.4.2. 
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-27 06:43:20 UTC
Created attachment 64438 [details, diff]

This one needs to be applied before the patch on the parent bug applies.
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-27 06:45:48 UTC
Created attachment 64439 [details, diff]

Official upstream patch for 3.3.1.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-27 06:46:28 UTC
Created attachment 64440 [details, diff]

Official upstream patch for 3.4.1.
Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2005-08-02 17:06:53 UTC
Created attachment 64960 [details]
Comment 6 Carsten Lohrke (RETIRED) gentoo-dev 2005-08-02 17:07:22 UTC
Created attachment 64961 [details]
Comment 7 Carsten Lohrke (RETIRED) gentoo-dev 2005-08-02 17:07:49 UTC
Created attachment 64962 [details]
Comment 8 Carsten Lohrke (RETIRED) gentoo-dev 2005-08-02 17:09:50 UTC
KOffice is not affected this time. Any news about the common xpdf,gpdf,
announcement date?
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-02 22:17:17 UTC
Arches please test and mark stable/report back on this bug.  
Carlo no news from upstream yet and you're free to commit, patches are already 
public, though no advisories yet. 
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-08-03 00:48:35 UTC
carlo: you can doublecheck the issue is fixed using a testcase PDF you will find
on toucan at ~koon/foo.pdf. This one should grow a file in /tmp until filesystem
is full. Kill your process in time :)

For gpdf they had to adapt the patch a little and when tested using the testcase
it revealed that the patched version wasn't working better :/ So better make
sure the patch indeed works.

NB: apparently when allanonJL tested the problem in gpdf, it was triggered by
going to the second page (just opening the first page didn't trigger the problem).
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2005-08-03 06:20:41 UTC
CCing weeve on this one - he's better suited for kde on sparc.
Comment 12 René Nussbaumer (RETIRED) gentoo-dev 2005-08-03 08:53:30 UTC
Add gmsoft for testing. He has already kde installed.
Comment 13 Olivier Crete (RETIRED) gentoo-dev 2005-08-03 09:02:36 UTC
can carlo or other kde ppl do x86? I dont have kde.
Comment 14 Carsten Lohrke (RETIRED) gentoo-dev 2005-08-03 10:12:51 UTC
(In reply to comment #10)
> carlo: you can doublecheck the issue is fixed using a testcase PDF you will find

Did it, all fine.

(In reply to comment #9)
> Carlo no news from upstream yet and you're free to commit, patches are already 
> public, though no advisories yet. 

You'll drive me crazy with this un-/disclosed vendor-sec sh.t. ;) On the kde
packager list Dirk Mueller used the word undisclosed for this issue at least.

(In reply to comment #13)
> can carlo or other kde ppl do x86? I dont have kde.

I'd have committed the ebuilds directly, if I had known that it is o.k. this time.

<<< kpdf-3.4.1-r1.ebuild
<<< kdegraphics-3.3.2-r3.ebuild
<<< kdegraphics-3.4.1-r1.ebuild
Comment 15 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-08-03 10:18:13 UTC
Here (~amd64) I'm both able to reproduce the bug with 3.4.1, and to fix it 
with the given patch. It also works fine with 3.4.2. 
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-03 11:41:11 UTC
This is how we handle this type of bug: 
The third (and less secret) type of restricted bugs is the SEMI-PUBLIC bugs. 
Semi-public bugs should be kept secret, but patches may be committed to 
portage. This is generally when the vulnerability is not known to the general 
public but could be accessed by anyone (patch in upstream CVS for example). 
Comment 17 Jason Wever (RETIRED) gentoo-dev 2005-08-03 20:32:37 UTC
Can someone add me to bug #99769 so I can see what the problem is so I can test
to make sure the fix is working on SPARC?
Comment 18 Guy Martin (RETIRED) gentoo-dev 2005-08-04 10:19:19 UTC
Works fine on hppa. No more big file in /tmp and the second page is displayed
Comment 19 Jason Wever (RETIRED) gentoo-dev 2005-08-06 18:38:48 UTC
Looking good on SPARC, stablized kdegraphics.
Comment 20 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-06 23:47:01 UTC
This will be public on Tuesday. We still need the following keywords (unless   
some arches are dropping support for 3.3.2):    
kdegraphics-3.3.2-r3: alpha amd64 hppa ia64 mips ppc ppc64   
kdegraphics-3.4.1-r1: amd64 ppc hppa  
kpdf-3.4.1-r1: amd64 ppc ppc64 sparc 
Comment 21 Bryan Østergaard (RETIRED) gentoo-dev 2005-08-07 07:19:34 UTC
Alpha + ia64 stabilized.
Comment 22 Markus Rothe (RETIRED) gentoo-dev 2005-08-07 10:10:08 UTC
marked kpdf-3.4.1-r1 and kdegraphics-3.3.2-r3 stable on ppc64.
Comment 23 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-08-07 10:23:49 UTC
Stable on amd64. 
Comment 24 Jason Wever (RETIRED) gentoo-dev 2005-08-07 16:27:19 UTC
kpdf-3.4.1-r1 now stable on SPARC.
Comment 25 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-08 10:38:16 UTC
CC'ing ppc guys, please test and mark stable asap and sorry for the short 
Comment 26 Jory A. Pratt 2005-08-08 10:52:23 UTC
Stable on ppc.
Comment 27 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-08 11:58:50 UTC
Only needing hppa (and mips once this go public). 
Comment 28 Guy Martin (RETIRED) gentoo-dev 2005-08-08 13:14:44 UTC
both version of kdegraphics stable on hppa. sorry for the delay
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2005-08-09 00:39:57 UTC
client-based DoS -> downgrading severity
Comment 30 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-09 13:24:33 UTC
mips please mark stable. 
This is now public and ready for GLSA decision. I tend to vote NO. 
Comment 31 Thierry Carrez (RETIRED) gentoo-dev 2005-08-09 13:36:40 UTC
I tend to vote NO too. DoS by social-engineer someone to open a file in KPDF ?
Highly unlikely.
Comment 32 Thierry Carrez (RETIRED) gentoo-dev 2005-08-12 02:49:48 UTC
Or maybe we can make one once gpdf is also fixed ?
Comment 33 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-12 04:08:41 UTC
Waiting for common xpdf GLSA. 
Comment 34 Sune Kloppenborg Jeppesen gentoo-dev 2005-08-15 22:27:06 UTC
GLSA ID:  200508-08 
Comment 35 Hardave Riar (RETIRED) gentoo-dev 2005-09-29 09:23:43 UTC
kdegraphics-3.3.2-r3 stable on mips.