Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68558 - kde-base/kdegraphics: vulnerabilities in kpdf
Summary: kde-base/kdegraphics: vulnerabilities in kpdf
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa] vorlon
Depends on:
Reported: 2004-10-22 08:57 UTC by fbusse
Modified: 2004-11-23 10:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description fbusse 2004-10-22 08:57:04 UTC
Hash: SHA1

KDE Security Advisory: kpdf integer overflows
Original Release Date: 2004-10-21

0. References
        CESA-2004-002 - rev 1
        CESA-2004-007 - rev 1

1. Systems affected:

        All KDE 3.2.x releases, KDE 3.3.0 and KDE 3.3.1.

2. Overview:

        Chris Evans notified the KDE security team about multiple
        integer overflow and integer arithmetic flaws in xpdf 3.0.

        These flaws, if exploited, can cause xpdf (and therefore kpdf)
        to hang using 100% CPU, crash the viewer or corrupt the
        program heap. It might be possible to execute arbitrary code.
        The Common Vulnerabilities and Exposures project assigned
        CAN-2004-0889 to this issue.

        kpdf, the KDE pdf viewer, shares code with xpdf 2.02. This
        code is significantly different from the xpdf 3.0 codebase,
        but is also affected by similiar issues. Sebastian Krahmer
        from the SUSE security team developed a patch that corrects
        integer overflows in the XRef code. This patch is made
        available below for kpdf as shipped in the KDE 3.2.x
        releases. The Common Vulnerabilities and Exposures project
        assigned CAN-2004-0888 to this issue.

        KDE 3.3.1 contains a kpdf based on xpdf 3.0. We're providing
        a patch to fix the remaining integer overflows in this code

3. Impact:

        Remotely supplied pdf files can be used to execute arbitrary
        code on the client machine.

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.

5. Patch:

        Patch for KDE 3.2.3 is available from :

        4f854adb507f4d04e997702e44ffc2ea  post-3.2.3-kdegraphics.diff

        Patch for KDE 3.3.1 is available from :

        651fba579516ea947fbefee373f40a6c  post-3.3.1-kdegraphics.diff

6. Time line and credits:

        01/09/2004 KDE Security Team alerted by Chris Evans
        08/09/2004 Chris Evans finds similiar issues in the xpdf 2.02 
                   codebase which is used by all released kpdf versions.
        24/09/2004 Patch to fix the found issues in xpdf 2.02 developed
                   by Sebastian Krahmer of SUSE security.
        12/10/2004 KDE 3.3.1 release upgrading kpdf to xpdf 3.0 codebase
        21/10/2004 Public disclosure

Version: GnuPG v1.2.5 (GNU/Linux)

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-22 09:26:27 UTC
kde, pls verify and update ebuild
Comment 2 Simone Gotti (RETIRED) gentoo-dev 2004-10-22 17:11:28 UTC
I've tested both the patches with the splitted up kpdf ebuilds (to speedup compilation) and they compiles and works well.

kpdf-3.3.0 using patch post-3.2.3-kdegraphics.diff
kpdf-3.3.1 using patch post-3.3.1-kdegraphics.diff
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-23 05:21:43 UTC
KDE team, 
since 3.3.0 is the latest stable ebuild and 3.3.1 the newest version, those should be patched. Additionally a patched stable version for alpha is needed too, which would probably mean to patch 3.2.3 and get it stable on alpha.
Comment 4 Carsten Lohrke (RETIRED) gentoo-dev 2004-10-23 17:51:34 UTC
<<< kdegraphics-3.3.1-r1.ebuild
<<< kdegraphics-3.2.3-r1.ebuild
<<< kdegraphics-3.3.0-r1.ebuild

arch herds, please keyword

I couldn't test 3.2.3, but I thought it's better to let someone with KDE 3.2.x (and a faster box) find out if it breaks.
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-24 05:39:31 UTC
Stable on alpha.
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-24 12:42:34 UTC
BTW, why does kdegraphics depend on xpdf if kpdf comes with it already?
Comment 7 Simone Gotti (RETIRED) gentoo-dev 2004-10-24 13:58:36 UTC
You're right, I'm quite sure that there's no need for it. I didn't noticed it before.
Comment 8 Jason Wever (RETIRED) gentoo-dev 2004-10-24 15:52:20 UTC
Stable on sparc.
Comment 9 Jochen Maes (RETIRED) gentoo-dev 2004-10-25 06:37:35 UTC
stable on ppc
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-10-27 02:52:12 UTC
SeJo: current CVS checkout shows :

kdegraphics-3.2.3-r1.ebuild:KEYWORDS="x86 ~ppc sparc alpha ~hppa ~amd64 ~ia64"
kdegraphics-3.3.0-r1.ebuild:KEYWORDS="x86 ~amd64 ~ppc64 sparc ~ppc ~hppa"
kdegraphics-3.3.1-r1.ebuild:KEYWORDS="~x86 ~amd64 ~ppc64 ~sparc ~ppc ~hppa"

So apprently ppc did not mark any unaffected ebuild stable. Given your stable profile you need to mark both 3.2.3-r1 and 3.3.0-r1 stable (as 3.2.3 and 3.3.0 are affected and ppc-stable).
Comment 11 Jochen Maes (RETIRED) gentoo-dev 2004-10-27 05:00:18 UTC
i'm sorry i must have made a mistake, 

they are tested and marked stable. 
Comment 12 Danny van Dyk (RETIRED) gentoo-dev 2004-10-27 15:11:04 UTC
stable on amd64!
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-10-28 00:36:31 UTC
GLSA 200410-30
hppa, ia64, ppc64: please mark stable to benefit from GLSA.
Comment 14 Tom Gall (RETIRED) gentoo-dev 2004-11-23 10:41:34 UTC
kdegraphics-3.3.0-r2.ebuild is already keyworded.

Removing,  thanks!