Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 290470 (CVE-2009-3603)

Summary: KDE Xpdf Multiple Integer Overflow Vulnerabilities (CVE-2009-{3603,3604,3606,3608,3609})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alecm_88, esigra, gengor, Martin.vGagern
Priority: High Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ocert.org/advisories/ocert-2009-016.html
Whiteboard: B2 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 290430    
Attachments:
Description Flags
kword-xpdf-overflows.patch none

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-25 16:24:30 UTC
+++ This bug was initially created as a clone of Bug #290430 +++

CVE-2009-3603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3603):
  Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf
  3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote
  attackers to execute arbitrary code via a crafted PDF document that
  triggers a heap-based buffer overflow.  NOTE: some of these details
  are obtained from third party information.  NOTE: this issue
  reportedly exists because of an incomplete fix for CVE-2009-1188.

CVE-2009-3604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3604):
  The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x
  before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics
  KPDF, does not properly allocate memory, which allows remote
  attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted PDF document that
  triggers a NULL pointer dereference or a heap-based buffer overflow.

CVE-2009-3606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3606):
  Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf
  before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might
  allow remote attackers to execute arbitrary code via a crafted PDF
  document that triggers a heap-based buffer overflow.

CVE-2009-3608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3608):
  Integer overflow in the ObjectStream::ObjectStream function in
  XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used
  in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow
  remote attackers to execute arbitrary code via a crafted PDF document
  that triggers a heap-based buffer overflow.

CVE-2009-3609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3609):
  Integer overflow in the ImageStream::ImageStream function in
  Stream.cc in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used
  in GPdf, kdegraphics KPDF, and CUPS pdftops, allows remote attackers
  to cause a denial of service (application crash) via a crafted PDF
  document that triggers a NULL pointer dereference or buffer over-read.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-25 16:25:59 UTC
KDE, patches or mask/removal?
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2009-10-25 17:12:52 UTC
(In reply to comment #1)
> KDE, patches or mask/removal?
> 

masked
Comment 3 Alec Meyers 2009-10-25 18:43:51 UTC
Sorry if I'm missing something, but all of the vulnerabilities seem to be with poppler versions before 0.12.1, and poppler-qt3-0.12.1 exists... Shouldn't KPDF be OK with the latest poppler version?
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-25 18:46:41 UTC
(In reply to comment #3)
> Shouldn't KPDF be OK with the latest poppler version?

No. The code is bundled.
Comment 5 Alec Meyers 2009-10-25 19:09:26 UTC
(In reply to comment #4)
> > Shouldn't KPDF be OK with the latest poppler version?
>
> No. The code is bundled.

You mean the poppler code is inside of KPDF and it doesn't use the external 
libraries?

Sorry for bothering you, it's just that I actually use KPDF :(
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-25 19:23:42 UTC
(In reply to comment #5)
> You mean the poppler code is inside of KPDF and it doesn't use the external 
> libraries?

Technically it's xpdf, but yes.

> Sorry for bothering you, it's just that I actually use KPDF :(
> 

Sounds like it's time to migrate. If you have any further questions, please email us rather than posting on the bug.
Comment 7 Manfred Knick 2009-10-25 22:51:30 UTC
(In reply to comment #6)

> Sounds like it's time to migrate.

. . . to ? Your recommendation ?
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-25 23:08:08 UTC
(In reply to comment #7)
> (In reply to comment #6)
> 
> > Sounds like it's time to migrate.
> 
> . . . to ? Your recommendation ?
> 

Any other actively developed PDF viewer that you like.

Guys, this bug is intended for package removal and GLSA tracking purposes only, any other discussion does not belong here. Please use the Gentoo Forums or any other means of communication. Thank you.


GLSA together with bug 263028.
Comment 9 Richard Freeman gentoo-dev 2009-10-26 14:30:59 UTC
(In reply to comment #7)
> (In reply to comment #6)
> 
> > Sounds like it's time to migrate.
> 
> . . . to ? Your recommendation ?
> 

Looks like okular is the official KDE replacement for KPDF.  

Might not hurt to note that in the package mask comment - most stable users only started using kde4 a week ago and if we're going to retire what used to be a heavily-used kde3 app it doesn't hurt to inform users what the official replacement is (from upstream's perspective).  Of course, users can still use whatever they'd like.  Most people who have kpdf installed already would have okular installed as well.
Comment 10 Alec Meyers 2009-10-26 16:47:41 UTC
For people who still need a KDE 3.5 series PDF viewer, KGhostView is still available.

(Sorry about posting here again, but since people are still asking for alternatives and this is the URL they're given in the masking message, maybe now less people will ask :)
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-29 20:21:54 UTC
Updated affected packages list:
 
 * kde-base/kpdf         (all CVE entries as listed in comment #0)
 * app-office/kword:3.5  (CVE-2009-3606 and CVE-2009-3609)
 * app-office/koffice    (CVE-2009-3606 and CVE-2009-3609)

kword:2 which is currently in testing is not affected. koffice does not have a newer version available for stabling.
KDE, please advise on how to proceed with these two.
Comment 12 Tomáš Chvátal (RETIRED) gentoo-dev 2009-10-29 20:24:35 UTC
(In reply to comment #11)
> Updated affected packages list:
> 
>  * kde-base/kpdf         (all CVE entries as listed in comment #0)
>  * app-office/kword:3.5  (CVE-2009-3606 and CVE-2009-3609)
>  * app-office/koffice    (CVE-2009-3606 and CVE-2009-3609)
> 
> kword:2 which is currently in testing is not affected. koffice does not have a
> newer version available for stabling.
> KDE, please advise on how to proceed with these two.
> 

koffice can die, kword sadly cant, the kword-2.0 alternative is not fully usable yet :/
Comment 13 Jonathan Callen (RETIRED) gentoo-dev 2009-10-29 20:31:59 UTC
(In reply to comment #11)
> Updated affected packages list:
> 
>  * kde-base/kpdf         (all CVE entries as listed in comment #0)
>  * app-office/kword:3.5  (CVE-2009-3606 and CVE-2009-3609)
>  * app-office/koffice    (CVE-2009-3606 and CVE-2009-3609)
> 
> kword:2 which is currently in testing is not affected. koffice does not have a
> newer version available for stabling.
> KDE, please advise on how to proceed with these two.
> 

app-office/koffice has already been masked for removal
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-05 14:22:31 UTC
Created attachment 209335 [details, diff]
kword-xpdf-overflows.patch

This patch should cover all relevant issues for kword. Please test it before applying.
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-05 14:23:23 UTC
KDE, please see above comment (bugmail not send..)
Comment 16 Martin von Gagern 2009-11-12 12:00:49 UTC
Should be fixed in kde-base/kpdf-3.5.10-r2 in the kde-sunset overlay. I applied the pl4 patch from xpdf to the kpdf sources. Looks like the changes up to pl3 were included already, although not always exactly in the same way.

http://git.overlays.gentoo.org/gitweb/?p=proj/kde-sunset.git;a=blob;f=kde-base/kpdf/files/kpdf-3.5.10-xpdf-3.02pl4.patch
Comment 17 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-12 21:23:04 UTC
kword, xpdf dead. Old vulnerability. Closing noglsa.