View previous topic :: View next topic |
Author |
Message |
GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Jan 04, 2006 10:26 pm Post subject: [ GLSA 200601-02 ] KPdf, KWord: Multiple overflows in includ |
|
|
Gentoo Linux Security Advisory
Title: KPdf, KWord: Multiple overflows in included Xpdf code (GLSA 200601-02)
Severity: normal
Exploitable: remote
Date: January 04, 2006
Updated: January 07, 2006
Bug(s): #114429, #115851
ID: 200601-02
Synopsis
KPdf and KWord both include vulnerable Xpdf code to handle PDF files,
making them vulnerable to the execution of arbitrary code.
Background
KPdf is a KDE-based PDF viewer included in the kdegraphics package.
KWord is a KDE-based word processor also included in the koffice
package.
Affected Packages
Package: kde-base/kdegraphics
Vulnerable: < 3.4.3-r3
Unaffected: >= 3.4.3-r3
Architectures: All supported architectures
Package: kde-base/kpdf
Vulnerable: < 3.4.3-r3
Unaffected: >= 3.4.3-r3
Architectures: All supported architectures
Package: app-office/koffice
Vulnerable: < 1.4.2-r6
Unaffected: >= 1.4.2-r6
Architectures: All supported architectures
Package: app-office/kword
Vulnerable: < 1.4.2-r6
Unaffected: >= 1.4.2-r6
Architectures: All supported architectures
Description
KPdf and KWord both include Xpdf code to handle PDF files. This Xpdf
code is vulnerable to several heap overflows (GLSA 200512-08) as well
as several buffer and integer overflows discovered by Chris Evans
(CESA-2005-003).
Impact
An attacker could entice a user to open a specially crafted PDF file
with Kpdf or KWord, potentially resulting in the execution of arbitrary
code with the rights of the user running the affected application.
Workaround
There is no known workaround at this time.
Resolution
All kdegraphics users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.4.3-r3" |
All Kpdf users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.4.3-r3" |
All KOffice users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/koffice-1.4.2-r6" |
All KWord users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/kword-1.4.2-r6" |
References
CAN-2005-3191
CAN-2005-3192
CAN-2005-3193
CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
CVE-2005-3628
GLSA 200512-08
KDE Security Advisory: kpdf/xpdf multiple integer overflows
CESA-2005-003
Last edited by GLSA on Mon Jun 10, 2013 4:22 am; edited 2 times in total |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|