Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 155949 - kde-base/kdegraphics-kfile-plugins JPEG-EXIF File Information DoS vulnerability (CVE-2006-6297)
Summary: kde-base/kdegraphics-kfile-plugins JPEG-EXIF File Information DoS vulnerabili...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.kde.org/info/security/advi...
Whiteboard: B3 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-22 08:11 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2019-12-30 12:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
post-3.5.5-kdegraphics.diff (post-3.5.5-kdegraphics.diff,5.20 KB, patch)
2006-11-22 11:47 UTC, Sune Kloppenborg Jeppesen (RETIRED) 		no flags Details | Diff
kdegraphics-kfile-plugins-3.5.5-r1.ebuild (kdegraphics-kfile-plugins-3.5.5-r1.ebuild,889 bytes, text/plain)
2006-11-22 12:19 UTC, Diego Elio Pettenò (RETIRED) 		no flags Details
kdegraphics-3.5.5-r1.ebuild (kdegraphics-3.5.5-r1.ebuild,2.24 KB, text/plain)
2006-11-22 12:21 UTC, Diego Elio Pettenò (RETIRED) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-22 08:11:14 UTC 
E Security Advisory: JPEG-EXIF File Information DoS vulnerability
Original Release Date: 2006-11-XX
URL: http://www.kde.org/info/security/advisory-200611XX-1.txt

0. References

        CVE-2006-FIXME


1. Systems affected:

	kdegraphics as shipped with KDE 3.1.0 up to including 3.5.5.

2. Overview:

	The JPEG kfile-info plugin, which is used in all KDE applications
	for showing image metainformation (for example the image size
	or EXIF embedded information) is vulnerable to a endless recursion
	EXIF parsing bug.  This particular issue was reported by Marcus
	Meissner from SUSE security.

3. Impact:

	On a regular Linux system, this can cause the process that launched
	the plugin to crash. If ulimits have been removed, it can cause the
	machine run out of memory.

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        A patch for KDE 3.1.0 - KDE 3.5.5 is available from
        ftp://ftp.kde.org/pub/kde/security_patches :

	1ce5fb77aff8f97ed21da046c1385000  post-3.5.5-kdegraphics.diff
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-22 11:47:31 UTC 
Created attachment 102561 [details, diff]
post-3.5.5-kdegraphics.diff
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-22 12:19:44 UTC 
Created attachment 102565 [details]
kdegraphics-kfile-plugins-3.5.5-r1.ebuild
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-22 12:21:44 UTC 
Created attachment 102566 [details]
kdegraphics-3.5.5-r1.ebuild
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-23 13:34:08 UTC 
security liaisons, please test the ebuilds and report here if they can be marked stable, do not commit anything yet

target keywords
kdegraphics: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
kdegraphics-kfile-plugins: "alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-27 06:39:43 UTC 
I'm getting consistent "The process for the file protocol died unexpectedly" on kde startup with 3.5.5-r1.
Any hints on how to debug this?
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2006-12-04 13:21:18 UTC 
this looks good on ppc64. I'm not getting the message from comment #5.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-05 00:59:30 UTC 
Sorry for the delay. This one is public now. Please commit a fixed ebuild.
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-12-05 06:54:46 UTC 
Ebuilds in tree, enjoy.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-05 22:03:51 UTC 
Thx Diego.

Arches please test and mark stable. Target keywords are:

kdegraphics-kfile-plugins-3.5.5-r1.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2006-12-05 23:51:47 UTC 
x86 done
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2006-12-06 00:16:37 UTC 
ppc64 stable
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2006-12-11 14:41:17 UTC 
Stable on Alpha + ia64.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-16 05:52:05 UTC 
kdegraphics and kdegraphics-kfile-plugins 3.5.5-r1 ppc stable.

Looks like kdegraphics has been forgotten ...
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-16 08:27:33 UTC 
Thx for the pointer Tobias.

Adding back arches to mark kdegraphics-3.5.5-r1 stable.
Comment 15 René Nussbaumer (RETIRED) gentoo-dev 2006-12-17 13:54:03 UTC 
stable on hppa.
Comment 16 Bryan Østergaard (RETIRED) gentoo-dev 2006-12-17 15:54:01 UTC 
kdegraphics-3.5.5-r1 stable on Alpha + ia64.
Comment 17 Christian Faulhammer (RETIRED) gentoo-dev 2006-12-18 00:18:38 UTC 
Stable on x86
Comment 18 Markus Rothe (RETIRED) gentoo-dev 2006-12-18 12:21:12 UTC 
ppc64 stable
Comment 19 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-12-18 18:20:42 UTC 
AMD64 (or rather Intel64 ;)) done.
Comment 20 Jason Wever (RETIRED) gentoo-dev 2006-12-20 08:23:13 UTC 
SPARC stable
Comment 21 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-28 08:31:40 UTC 
theorically we have to vote on this and i would vote for a GLSA, because kde is so common and it's so easy to trigger... (nearly A3 IMHO in fact)
Comment 22 Wolf Giesen (RETIRED) gentoo-dev 2006-12-28 10:09:10 UTC 
yes++
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-28 10:51:16 UTC 
Another YES vote.
Comment 24 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-12 22:06:38 UTC 
GLSA 200701-05