E Security Advisory: JPEG-EXIF File Information DoS vulnerability Original Release Date: 2006-11-XX URL: http://www.kde.org/info/security/advisory-200611XX-1.txt 0. References CVE-2006-FIXME 1. Systems affected: kdegraphics as shipped with KDE 3.1.0 up to including 3.5.5. 2. Overview: The JPEG kfile-info plugin, which is used in all KDE applications for showing image metainformation (for example the image size or EXIF embedded information) is vulnerable to a endless recursion EXIF parsing bug. This particular issue was reported by Marcus Meissner from SUSE security. 3. Impact: On a regular Linux system, this can cause the process that launched the plugin to crash. If ulimits have been removed, it can cause the machine run out of memory. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: A patch for KDE 3.1.0 - KDE 3.5.5 is available from ftp://ftp.kde.org/pub/kde/security_patches : 1ce5fb77aff8f97ed21da046c1385000 post-3.5.5-kdegraphics.diff
Created attachment 102561 [details, diff] post-3.5.5-kdegraphics.diff
Created attachment 102565 [details] kdegraphics-kfile-plugins-3.5.5-r1.ebuild
Created attachment 102566 [details] kdegraphics-3.5.5-r1.ebuild
security liaisons, please test the ebuilds and report here if they can be marked stable, do not commit anything yet target keywords kdegraphics: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86" kdegraphics-kfile-plugins: "alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"
I'm getting consistent "The process for the file protocol died unexpectedly" on kde startup with 3.5.5-r1. Any hints on how to debug this?
this looks good on ppc64. I'm not getting the message from comment #5.
Sorry for the delay. This one is public now. Please commit a fixed ebuild.
Ebuilds in tree, enjoy.
Thx Diego. Arches please test and mark stable. Target keywords are: kdegraphics-kfile-plugins-3.5.5-r1.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"
x86 done
ppc64 stable
Stable on Alpha + ia64.
kdegraphics and kdegraphics-kfile-plugins 3.5.5-r1 ppc stable. Looks like kdegraphics has been forgotten ...
Thx for the pointer Tobias. Adding back arches to mark kdegraphics-3.5.5-r1 stable.
stable on hppa.
kdegraphics-3.5.5-r1 stable on Alpha + ia64.
Stable on x86
AMD64 (or rather Intel64 ;)) done.
SPARC stable
theorically we have to vote on this and i would vote for a GLSA, because kde is so common and it's so easy to trigger... (nearly A3 IMHO in fact)
yes++
Another YES vote.
GLSA 200701-05