KDE KOffice kpdf Buffer Overflows in Processing DCT and JPX Streams May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1015324|
SecurityTracker URL: http://securitytracker.com/id/1015324
CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627, CVE-2006-0746
(Links to External Site)
Updated: Mar 9 2006|
Original Entry Date: Dec 7 2005
Execution of arbitrary code via network, User access via network|
Vendor Confirmed: Yes |
Version(s): KOffice 1.3.0 up to including KOffice 1.4.2|
Several vulnerabilities were reported in KDE KOffice in the kpdf component. A remote user can cause arbitrary code to be executed on the target user's system.|
The DCT stream parsing code does not properly validate user-supplied input. The DCTStream::readBaselineSOF() function in 'Stream.cc' does not properly validate the 'numComps' parameter. A remote user can create a specially crafted PDF file that, when processed by the target user, will trigger an overflow at potentially execute arbitrary code.
The DCTStream::readProgressiveSOF() and StreamPredictor::StreamPredictor() functions are also affected.
A similar overflow exists in the JPX Stream parsing code used in decoding embedded JPEG 2000 images. The JPXStream::readCodestream() function in 'JPXStream.cc' does not properly validate the 'nXTiles' and 'nYTiles' parameters.
The vulnerability resides in xpdf code that is shared with kpdf. The vulnerabilities in xpdf were originally reported by iDEFENSE.
In January 2006, the vendor issued an update to the advisory indicating that the original patches were incomplete and have been retracted.
In March 2006, it was reported that the fix for CVE-2005-3627 was not complete. The resulting vulnerability was assigned CVE-2006-0746. Marcelo Ricardo Leitner discovered this vulnerability.
A remote user can create a PDF file that, when processed by the target user, will execute arbitrary code on the target user's system with the privileges of the target user.|
The vendor has issued the following revised patches:|
Patch for KDE 3.5.0 is available from
Patch for KDE 3.4.3 is available from
Patch for KDE 3.3.2 is available from
Patch for KDE 3.2.3 is available from
Patch for KOffice 1.3.0 and newer is available from
The vendor's advisory is available at:
[Editor's note: The patch for CVE-2005-3627 is incomplete.]
Vendor URL: www.kde.org/info/security/advisory-20051207-2.txt (Links to External Site)
|Underlying OS: Linux (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [KDE Security Advisory] multiple buffer overflows in kpdf/koffice|
KDE Security Advisory: kpdf/xpdf multiple integer overflows
Original Release Date: 2005-12-07
1. Systems affected:
KDE 3.2.0 up to including KDE 3.5.0
KOffice 1.3.0 up to including KOffice 1.4.2
kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains
multiple integer overflow vulnerabilities that allow specially
crafted pdf files, when opened, to overflow a heap allocated
buffer and execute arbitrary code.=20
Remotely supplied pdf files can be used to execute arbitrary
code on the client machine.
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
Patch for KDE 3.5.0 is available from=20
Patch for KDE 3.4.3 is available from=20
Patch for KDE 3.3.2 is available from=20
Patch for KDE 3.2.3 is available from=20
Patch for KOffice 1.3.0 and newer is available from=20
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
-----END PGP SIGNATURE-----