SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   KOffice Vendors:   KDE.org
KDE KOffice kpdf Buffer Overflows in Processing DCT and JPX Streams May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015324
SecurityTracker URL:  http://securitytracker.com/id/1015324
CVE Reference:   CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627, CVE-2006-0746   (Links to External Site)
Updated:  Mar 9 2006
Original Entry Date:  Dec 7 2005
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): KOffice 1.3.0 up to including KOffice 1.4.2
Description:   Several vulnerabilities were reported in KDE KOffice in the kpdf component. A remote user can cause arbitrary code to be executed on the target user's system.

The DCT stream parsing code does not properly validate user-supplied input. The DCTStream::readBaselineSOF() function in 'Stream.cc' does not properly validate the 'numComps' parameter. A remote user can create a specially crafted PDF file that, when processed by the target user, will trigger an overflow at potentially execute arbitrary code.

The DCTStream::readProgressiveSOF() and StreamPredictor::StreamPredictor() functions are also affected.

A similar overflow exists in the JPX Stream parsing code used in decoding embedded JPEG 2000 images. The JPXStream::readCodestream() function in 'JPXStream.cc' does not properly validate the 'nXTiles' and 'nYTiles' parameters.

The vulnerability resides in xpdf code that is shared with kpdf. The vulnerabilities in xpdf were originally reported by iDEFENSE.

In January 2006, the vendor issued an update to the advisory indicating that the original patches were incomplete and have been retracted.

In March 2006, it was reported that the fix for CVE-2005-3627 was not complete. The resulting vulnerability was assigned CVE-2006-0746. Marcelo Ricardo Leitner discovered this vulnerability.

Impact:   A remote user can create a PDF file that, when processed by the target user, will execute arbitrary code on the target user's system with the privileges of the target user.
Solution:   The vendor has issued the following revised patches:

Patch for KDE 3.5.0 is available from
ftp://ftp.kde.org/pub/kde/security_patches :

17ea076e986be5e26a4feea3cd264f7e post-3.5.0-kdegraphics-CVE-2005-3193.diff

Patch for KDE 3.4.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches :

e8dde74416769d4589dcca25072aea3e post-3.4.3-kdegraphics-CVE-2005-3193.diff

Patch for KDE 3.3.2 is available from
ftp://ftp.kde.org/pub/kde/security_patches :

fe38b0728e5e2b000eb04e037536f330 post-3.3.2-kdegraphics-CVE-2005-3193.diff

Patch for KDE 3.2.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches :

51ae90242b7e65ba34c704b38c91cfbe post-3.2.3-kdegraphics-CVE-2005-3193.diff

Patch for KOffice 1.3.0 and newer is available from
ftp://ftp.kde.org/pub/kde/security_patches :

939b41e59cfb5f738e9b6fcfff4faf48 post-1.3-koffice-CVE-2005-3193.diff

The vendor's advisory is available at:

http://www.kde.org/info/security/advisory-20051207-2.txt

[Editor's note: The patch for CVE-2005-3627 is incomplete.]

Vendor URL:  www.kde.org/info/security/advisory-20051207-2.txt (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 20 2005 (Red Hat Issues Fix) KDE KOffice kpdf Buffer Overflows in Processing DCT and JPX Streams May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Jan 11 2006 (Red Hat Issues Fix for gpdf) KDE KOffice kpdf Buffer Overflows in Processing DCT and JPX Streams May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for gpdf on Red Hat Enterprise Linux 4, which is affected by this kpdf vulnerability.
Jan 11 2006 (Red Hat Issues Fix for CUPS) KDE KOffice kpdf Buffer Overflows in Processing DCT and JPX Streams May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for CUPS for Red Hat Enterprise Linux 3 and 4, which is affected by the xpdf vulnerability.
Jan 19 2006 (Red Hat Issues Fix for tetex) KDE KOffice kpdf Buffer Overflows in Processing DCT and JPX Streams May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for tetex on Red Hat Enterprise Linux 2.1, 3, and 4.
Mar 10 2006 (Red Hat Issues Revised Fix) KDE KOffice kpdf Buffer Overflows in Processing DCT and JPX Streams May Let Remote Users Execute Arbitrary Code
Red Hat has released a revised fix for Red Hat Enterprise Linux 4.



 Source Message Contents

Subject:  [KDE Security Advisory] multiple buffer overflows in kpdf/koffice

--nextPart1525639.VOuhdhKFhD
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline



KDE Security Advisory: kpdf/xpdf multiple integer overflows
Original Release Date: 2005-12-07
URL: http://www.kde.org/info/security/advisory-20051207-1.txt

0. References
        CAN-2005-3191
        CAN-2005-3192
        CAN-2005-3193


1. Systems affected:

        KDE 3.2.0 up to including KDE 3.5.0
	KOffice 1.3.0 up to including KOffice 1.4.2


2. Overview:

        kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains
        multiple integer overflow vulnerabilities that allow specially
	crafted pdf files, when opened, to overflow a heap allocated
	buffer and execute arbitrary code.=20


3. Impact:

        Remotely supplied pdf files can be used to execute arbitrary
	code on the client machine.


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patch for KDE 3.5.0 is available from=20
        ftp://ftp.kde.org/pub/kde/security_patches :

        04d1a115cca0deacbfca5c172bb9f4db =20
post-3.5.0-kdegraphics-CAN-2005-3193.diff

        Patch for KDE 3.4.3 is available from=20
        ftp://ftp.kde.org/pub/kde/security_patches :

        b9787ff17e3e7eccee9ff23edcdca2c1=20
post-3.4.3-kdegraphics-CAN-2005-3193.diff

        Patch for KDE 3.3.2 is available from=20
        ftp://ftp.kde.org/pub/kde/security_patches :

	8e0b2db76bc419b444f8308b3d8127b9  post-3.3.2-kdegraphics-CAN-2005-3193.diff

        Patch for KDE 3.2.3 is available from=20
        ftp://ftp.kde.org/pub/kde/security_patches :

        75c90ff2998ff7b4c1b66fbf85d351f1 =20
post-3.2.3-kdegraphics-CAN-2005-3193.diff

        Patch for KOffice 1.3.0 and newer is available from=20
        ftp://ftp.kde.org/pub/kde/security_patches :

	e663d0b1b6c32c3fb99c85834ae7b17b  post-1.3-koffice-CAN-2005-3193.diff


--nextPart1525639.VOuhdhKFhD
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQBDl1BXvsXr+iuy1UoRAhYxAKCrRpvP/yxFmk1cHj3xTswt4EWw/QCeNRnN
sXKlUy7WElj2JBWc+e7jvY0=
=yMzI
-----END PGP SIGNATURE-----

--nextPart1525639.VOuhdhKFhD--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC