KDE KOffice kpdf Buffer Overflows in Processing DCT and JPX Streams May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1015324 |
|
SecurityTracker URL: http://securitytracker.com/id/1015324
|
|
CVE Reference:
CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627, CVE-2006-0746
(Links to External Site)
|
Updated: Mar 9 2006
|
Original Entry Date: Dec 7 2005
|
Impact:
Execution of arbitrary code via network, User access via network
|
Vendor Confirmed: Yes
|
Version(s): KOffice 1.3.0 up to including KOffice 1.4.2
|
Description:
Several vulnerabilities were reported in KDE KOffice in the kpdf component. A remote user can cause arbitrary code to be executed on the target user's system.
The DCT stream parsing code does not properly validate user-supplied input. The DCTStream::readBaselineSOF() function in 'Stream.cc' does not properly validate the 'numComps' parameter. A remote user can create a specially crafted PDF file that, when processed by the target user, will trigger an overflow at potentially execute arbitrary code.
The DCTStream::readProgressiveSOF() and StreamPredictor::StreamPredictor() functions are also affected.
A similar overflow exists in the JPX Stream parsing code used in decoding embedded JPEG 2000 images. The JPXStream::readCodestream() function in 'JPXStream.cc' does not properly validate the 'nXTiles' and 'nYTiles' parameters.
The vulnerability resides in xpdf code that is shared with kpdf. The vulnerabilities in xpdf were originally reported by iDEFENSE.
In January 2006, the vendor issued an update to the advisory indicating that the original patches were incomplete and have been retracted.
In March 2006, it was reported that the fix for CVE-2005-3627 was not complete. The resulting vulnerability was assigned CVE-2006-0746. Marcelo Ricardo Leitner discovered this vulnerability.
|
Impact:
A remote user can create a PDF file that, when processed by the target user, will execute arbitrary code on the target user's system with the privileges of the target user.
|
Solution:
The vendor has issued the following revised patches:
Patch for KDE 3.5.0 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
17ea076e986be5e26a4feea3cd264f7e post-3.5.0-kdegraphics-CVE-2005-3193.diff
Patch for KDE 3.4.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
e8dde74416769d4589dcca25072aea3e post-3.4.3-kdegraphics-CVE-2005-3193.diff
Patch for KDE 3.3.2 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
fe38b0728e5e2b000eb04e037536f330 post-3.3.2-kdegraphics-CVE-2005-3193.diff
Patch for KDE 3.2.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
51ae90242b7e65ba34c704b38c91cfbe post-3.2.3-kdegraphics-CVE-2005-3193.diff
Patch for KOffice 1.3.0 and newer is available from
ftp://ftp.kde.org/pub/kde/security_patches :
939b41e59cfb5f738e9b6fcfff4faf48 post-1.3-koffice-CVE-2005-3193.diff
The vendor's advisory is available at:
http://www.kde.org/info/security/advisory-20051207-2.txt
[Editor's note: The patch for CVE-2005-3627 is incomplete.]
|
Vendor URL: www.kde.org/info/security/advisory-20051207-2.txt (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS: Linux (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Subject: [KDE Security Advisory] multiple buffer overflows in kpdf/koffice
|
--nextPart1525639.VOuhdhKFhD
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
KDE Security Advisory: kpdf/xpdf multiple integer overflows
Original Release Date: 2005-12-07
URL: http://www.kde.org/info/security/advisory-20051207-1.txt
0. References
CAN-2005-3191
CAN-2005-3192
CAN-2005-3193
1. Systems affected:
KDE 3.2.0 up to including KDE 3.5.0
KOffice 1.3.0 up to including KOffice 1.4.2
2. Overview:
kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains
multiple integer overflow vulnerabilities that allow specially
crafted pdf files, when opened, to overflow a heap allocated
buffer and execute arbitrary code.=20
3. Impact:
Remotely supplied pdf files can be used to execute arbitrary
code on the client machine.
4. Solution:
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
5. Patch:
Patch for KDE 3.5.0 is available from=20
ftp://ftp.kde.org/pub/kde/security_patches :
04d1a115cca0deacbfca5c172bb9f4db =20
post-3.5.0-kdegraphics-CAN-2005-3193.diff
Patch for KDE 3.4.3 is available from=20
ftp://ftp.kde.org/pub/kde/security_patches :
b9787ff17e3e7eccee9ff23edcdca2c1=20
post-3.4.3-kdegraphics-CAN-2005-3193.diff
Patch for KDE 3.3.2 is available from=20
ftp://ftp.kde.org/pub/kde/security_patches :
8e0b2db76bc419b444f8308b3d8127b9 post-3.3.2-kdegraphics-CAN-2005-3193.diff
Patch for KDE 3.2.3 is available from=20
ftp://ftp.kde.org/pub/kde/security_patches :
75c90ff2998ff7b4c1b66fbf85d351f1 =20
post-3.2.3-kdegraphics-CAN-2005-3193.diff
Patch for KOffice 1.3.0 and newer is available from=20
ftp://ftp.kde.org/pub/kde/security_patches :
e663d0b1b6c32c3fb99c85834ae7b17b post-1.3-koffice-CAN-2005-3193.diff
--nextPart1525639.VOuhdhKFhD
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQBDl1BXvsXr+iuy1UoRAhYxAKCrRpvP/yxFmk1cHj3xTswt4EWw/QCeNRnN
sXKlUy7WElj2JBWc+e7jvY0=
=yMzI
-----END PGP SIGNATURE-----
--nextPart1525639.VOuhdhKFhD--
|
|
