| Summary: | KDE Xpdf Multiple Integer Overflow Vulnerabilities (CVE-2009-{3603,3604,3606,3608,3609}) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | normal | CC: | alecm_88, esigra, gengor, Martin.vGagern | ||||
| Priority: | High | Keywords: | PMASKED | ||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://www.ocert.org/advisories/ocert-2009-016.html | ||||||
| Whiteboard: | B2 [noglsa] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Bug Depends on: | |||||||
| Bug Blocks: | 290430 | ||||||
| Attachments: |
|
||||||
|
Description
Alex Legler (RETIRED)
2009-10-25 16:24:30 UTC
KDE, patches or mask/removal? (In reply to comment #1) > KDE, patches or mask/removal? > masked Sorry if I'm missing something, but all of the vulnerabilities seem to be with poppler versions before 0.12.1, and poppler-qt3-0.12.1 exists... Shouldn't KPDF be OK with the latest poppler version? (In reply to comment #3) > Shouldn't KPDF be OK with the latest poppler version? No. The code is bundled. (In reply to comment #4) > > Shouldn't KPDF be OK with the latest poppler version? > > No. The code is bundled. You mean the poppler code is inside of KPDF and it doesn't use the external libraries? Sorry for bothering you, it's just that I actually use KPDF :( (In reply to comment #5) > You mean the poppler code is inside of KPDF and it doesn't use the external > libraries? Technically it's xpdf, but yes. > Sorry for bothering you, it's just that I actually use KPDF :( > Sounds like it's time to migrate. If you have any further questions, please email us rather than posting on the bug. (In reply to comment #6) > Sounds like it's time to migrate. . . . to ? Your recommendation ? (In reply to comment #7) > (In reply to comment #6) > > > Sounds like it's time to migrate. > > . . . to ? Your recommendation ? > Any other actively developed PDF viewer that you like. Guys, this bug is intended for package removal and GLSA tracking purposes only, any other discussion does not belong here. Please use the Gentoo Forums or any other means of communication. Thank you. GLSA together with bug 263028. (In reply to comment #7) > (In reply to comment #6) > > > Sounds like it's time to migrate. > > . . . to ? Your recommendation ? > Looks like okular is the official KDE replacement for KPDF. Might not hurt to note that in the package mask comment - most stable users only started using kde4 a week ago and if we're going to retire what used to be a heavily-used kde3 app it doesn't hurt to inform users what the official replacement is (from upstream's perspective). Of course, users can still use whatever they'd like. Most people who have kpdf installed already would have okular installed as well. For people who still need a KDE 3.5 series PDF viewer, KGhostView is still available. (Sorry about posting here again, but since people are still asking for alternatives and this is the URL they're given in the masking message, maybe now less people will ask :) Updated affected packages list: * kde-base/kpdf (all CVE entries as listed in comment #0) * app-office/kword:3.5 (CVE-2009-3606 and CVE-2009-3609) * app-office/koffice (CVE-2009-3606 and CVE-2009-3609) kword:2 which is currently in testing is not affected. koffice does not have a newer version available for stabling. KDE, please advise on how to proceed with these two. (In reply to comment #11) > Updated affected packages list: > > * kde-base/kpdf (all CVE entries as listed in comment #0) > * app-office/kword:3.5 (CVE-2009-3606 and CVE-2009-3609) > * app-office/koffice (CVE-2009-3606 and CVE-2009-3609) > > kword:2 which is currently in testing is not affected. koffice does not have a > newer version available for stabling. > KDE, please advise on how to proceed with these two. > koffice can die, kword sadly cant, the kword-2.0 alternative is not fully usable yet :/ (In reply to comment #11) > Updated affected packages list: > > * kde-base/kpdf (all CVE entries as listed in comment #0) > * app-office/kword:3.5 (CVE-2009-3606 and CVE-2009-3609) > * app-office/koffice (CVE-2009-3606 and CVE-2009-3609) > > kword:2 which is currently in testing is not affected. koffice does not have a > newer version available for stabling. > KDE, please advise on how to proceed with these two. > app-office/koffice has already been masked for removal Created attachment 209335 [details, diff]
kword-xpdf-overflows.patch
This patch should cover all relevant issues for kword. Please test it before applying.
KDE, please see above comment (bugmail not send..) Should be fixed in kde-base/kpdf-3.5.10-r2 in the kde-sunset overlay. I applied the pl4 patch from xpdf to the kpdf sources. Looks like the changes up to pl3 were included already, although not always exactly in the same way. http://git.overlays.gentoo.org/gitweb/?p=proj/kde-sunset.git;a=blob;f=kde-base/kpdf/files/kpdf-3.5.10-xpdf-3.02pl4.patch kword, xpdf dead. Old vulnerability. Closing noglsa. |