The vulnerability is caused due to a boundary error during RLE
decompression in the "TranscribePalmImageToJPEG()" function in
generators/plucker/inplug/image.cpp when processing images embedded in
PDB files, which can be exploited to cause a heap-based buffer overflow
by e.g. tricking a user into opening a specially crafted PDB file.
Patches appear available from the upstream.
Patches have been committed to the KDE Subversion repository in the
following revision numbers:
4.3 branch: r1167825
4.4 branch: r1167826
4.5 branch: r1167827
Patches for KDE SC 4.3, KDE SC 4.4 and KDE SC 4.5 may be obtained
directly from the Subversion repository (no checkout needed) with
the following command and reference SHA1 sums:
4.3 branch: f1ad2e50ce0ce8592c767365b87a22a80943aa28
svn diff -r 1167824:1167825 \
4.4 branch: 13f06704919f239ef29ff63e6c1ddf8fa162af9c
svn diff -r 1167825:1167826 \
4.5 branch: d739c58873599f7324c9d6500d3615f803bff39e
svn diff -r 1167826:1167827 \
Heap-based buffer overflow in the RLE decompression functionality in
the TranscribePalmImageToJPEG function in
generators/plucker/inplug/image.cpp in Okular in KDE SC 4.3.0 through
4.5.0 allows remote attackers to cause a denial of service
(application crash) or possibly execute arbitrary code via a crafted
image in a PDB file.
Fixed in 4.5.1
Current stable 4.4.5 is still vulnerable
The patch is added in okular-4.4.5-r2, bumped straight to stable.
As long as nothing explodes during the next hours, feel free to
* remove 4.4.5-r1 from CVS
* remove 4.4.5 pending STABILIZATION of 4.4.5-r2 on ppc (ppc please do!!!)
@security: last arch (though the others were cheating :P) done, back to you
Thanks, everyone. GLSA request filed.
removing KDE, CC us back if you need us again
This issue was resolved and addressed in
GLSA 201311-20 at http://security.gentoo.org/glsa/glsa-201311-20.xml
by GLSA coordinator Sergey Popov (pinkbyte).