Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73795 - kde-base/kdegraphics kfax libtiff vulnerability
Summary: kde-base/kdegraphics kfax libtiff vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] jaervosz
: 143180 (view as bug list)
Depends on: 72750
  Show dependency tree
Reported: 2004-12-08 05:47 UTC by Caleb Tennis (RETIRED)
Modified: 2006-08-08 02:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 05:47:40 UTC
KDE Security Advisory: kfax libtiff vulnerabilities
Original Release Date: 2004-12-08

0. References


1. Systems affected:

        All KDE releases earlier than KDE 3.3.2.

2. Overview:

        Chris Evans and others discovered multiple vulnerabilities
        in the libtiff library. The Common Vulnerabilities and
        Exposures project assigned CAN-2004-0803 to this issue.

        kfax, a small utility for displaying fax files, contains
        for historic reasons a private copy of libtiff. Therefore
        it is vulnerable to these issues as well.

        kfax and kfax_multipage are invoked by KMail or Konqueror
        for viewing .g3 files.

        For the active KDE maintenance branches, which are KDE 
        KDE 3.2.x and KDE 3.3.x, this problem has been solved by
        removing the private copy of libtiff and using the system
        installed version instead. As a result, kfax will use the
        tiff2ps and fax2tiff utilities at runtime as a backend.

        Due to the complexity of the change, no simple diff is
        provided. The bug is fixed in KDE 3.3.2 and newer. 

        As a workaround, you can remove the kfax binary and the KPart from your system to be on the safe

3. Impact:

        Specially crafted fax files can trigger buffer overflows
        in libtiff and execute arbitrary code. 

4. Solution:

        Source code updates have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.

5. Patch:

        No patches are being made available due to complexity of the change.

6. Time line and credits:

        13/10/2004 KDE Security Team alerted by Than Ngo
        28/10/2004 private libtiff fork removed from CVS, updated
                   packages finished.
        08/12/2004 Public announcement

Reproducible: Always
Steps to Reproduce:

The announcement is currently not publicly released.   
KDE 3.3.2 should be in portage in the next few days.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-08 08:35:42 UTC
Closing access for now.
Comment 2 Caleb Tennis (RETIRED) gentoo-dev 2004-12-09 06:52:31 UTC
This advisory is now public.  The fix will be to upgrade kdegraphics to the latest version available once I get a fix in place in portage.  Will advise as soon as I know the next steps.

Comment 3 Caleb Tennis (RETIRED) gentoo-dev 2004-12-09 06:58:44 UTC
Note: The fixed version is currently in portage as kdegraphics-3.3.2.

Users wishing to continue using kfax are advised to upgrade to the latest version.

Otherwise, I think the best fix here would be to do what the KDE team recomemnds:

        As a workaround, you can remove the kfax binary and the KPart from your system to be on the safe

That is:

rm /usr/kde/3.2/bin/kfax
rm /usr/kde/3.3/bin/kfax
rm /usr/kde/3.2/libs/
rm /usr/kde/3.3/libs/

I will advise once I verify this.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-09 12:44:49 UTC
The KDE advisory indicates that this is solved in by removing the private copy of libtiff for KDE 3.2.x and KDE 3.3.x. No diff is supplied but perhaps new tar balls are provided? Another alternative is to quickly mark 3.3.2 stable as a security precaution?
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-09 12:46:33 UTC
This is public now, opening.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-14 04:23:29 UTC
Caleb any estimate on when 3.3.2 can go stable on supported arches (security wise that is x86, ppc, sparc, amd64)?
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-19 11:39:41 UTC
GLSA 200412-17

Caleb please comment when 3.3.2 goes stable.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-11 05:47:30 UTC
3.3.2 is stable on all arches (-sparc). GLSA updated.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-11 22:34:01 UTC
sparc stable closing with GLSA 200412-17
Comment 10 Wolf Giesen (RETIRED) gentoo-dev 2006-08-08 02:49:18 UTC
*** Bug 143180 has been marked as a duplicate of this bug. ***