+++ This bug was initially created as a clone of Bug #290430 +++ CVE-2009-3603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3603): Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1188. CVE-2009-3604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3604): The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document that triggers a NULL pointer dereference or a heap-based buffer overflow. CVE-2009-3606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3606): Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. CVE-2009-3608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3608): Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. CVE-2009-3609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3609): Integer overflow in the ImageStream::ImageStream function in Stream.cc in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, and CUPS pdftops, allows remote attackers to cause a denial of service (application crash) via a crafted PDF document that triggers a NULL pointer dereference or buffer over-read.
KDE, patches or mask/removal?
(In reply to comment #1) > KDE, patches or mask/removal? > masked
Sorry if I'm missing something, but all of the vulnerabilities seem to be with poppler versions before 0.12.1, and poppler-qt3-0.12.1 exists... Shouldn't KPDF be OK with the latest poppler version?
(In reply to comment #3) > Shouldn't KPDF be OK with the latest poppler version? No. The code is bundled.
(In reply to comment #4) > > Shouldn't KPDF be OK with the latest poppler version? > > No. The code is bundled. You mean the poppler code is inside of KPDF and it doesn't use the external libraries? Sorry for bothering you, it's just that I actually use KPDF :(
(In reply to comment #5) > You mean the poppler code is inside of KPDF and it doesn't use the external > libraries? Technically it's xpdf, but yes. > Sorry for bothering you, it's just that I actually use KPDF :( > Sounds like it's time to migrate. If you have any further questions, please email us rather than posting on the bug.
(In reply to comment #6) > Sounds like it's time to migrate. . . . to ? Your recommendation ?
(In reply to comment #7) > (In reply to comment #6) > > > Sounds like it's time to migrate. > > . . . to ? Your recommendation ? > Any other actively developed PDF viewer that you like. Guys, this bug is intended for package removal and GLSA tracking purposes only, any other discussion does not belong here. Please use the Gentoo Forums or any other means of communication. Thank you. GLSA together with bug 263028.
(In reply to comment #7) > (In reply to comment #6) > > > Sounds like it's time to migrate. > > . . . to ? Your recommendation ? > Looks like okular is the official KDE replacement for KPDF. Might not hurt to note that in the package mask comment - most stable users only started using kde4 a week ago and if we're going to retire what used to be a heavily-used kde3 app it doesn't hurt to inform users what the official replacement is (from upstream's perspective). Of course, users can still use whatever they'd like. Most people who have kpdf installed already would have okular installed as well.
For people who still need a KDE 3.5 series PDF viewer, KGhostView is still available. (Sorry about posting here again, but since people are still asking for alternatives and this is the URL they're given in the masking message, maybe now less people will ask :)
Updated affected packages list: * kde-base/kpdf (all CVE entries as listed in comment #0) * app-office/kword:3.5 (CVE-2009-3606 and CVE-2009-3609) * app-office/koffice (CVE-2009-3606 and CVE-2009-3609) kword:2 which is currently in testing is not affected. koffice does not have a newer version available for stabling. KDE, please advise on how to proceed with these two.
(In reply to comment #11) > Updated affected packages list: > > * kde-base/kpdf (all CVE entries as listed in comment #0) > * app-office/kword:3.5 (CVE-2009-3606 and CVE-2009-3609) > * app-office/koffice (CVE-2009-3606 and CVE-2009-3609) > > kword:2 which is currently in testing is not affected. koffice does not have a > newer version available for stabling. > KDE, please advise on how to proceed with these two. > koffice can die, kword sadly cant, the kword-2.0 alternative is not fully usable yet :/
(In reply to comment #11) > Updated affected packages list: > > * kde-base/kpdf (all CVE entries as listed in comment #0) > * app-office/kword:3.5 (CVE-2009-3606 and CVE-2009-3609) > * app-office/koffice (CVE-2009-3606 and CVE-2009-3609) > > kword:2 which is currently in testing is not affected. koffice does not have a > newer version available for stabling. > KDE, please advise on how to proceed with these two. > app-office/koffice has already been masked for removal
Created attachment 209335 [details, diff] kword-xpdf-overflows.patch This patch should cover all relevant issues for kword. Please test it before applying.
KDE, please see above comment (bugmail not send..)
Should be fixed in kde-base/kpdf-3.5.10-r2 in the kde-sunset overlay. I applied the pl4 patch from xpdf to the kpdf sources. Looks like the changes up to pl3 were included already, although not always exactly in the same way. http://git.overlays.gentoo.org/gitweb/?p=proj/kde-sunset.git;a=blob;f=kde-base/kpdf/files/kpdf-3.5.10-xpdf-3.02pl4.patch
kword, xpdf dead. Old vulnerability. Closing noglsa.