[gentoo-announce] [ GLSA 200410-30 ] GPdf, KPDF, KOffice: Vulnerabilities in included xpdf - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200410-30 ] GPdf, KPDF, KOffice: Vulnerabilities in included xpdf
Date:	Thu, 28 Oct 2004 07:29:30
Message-Id:	`41809F85.9090803@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200410-30

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: GPdf, KPDF, KOffice: Vulnerabilities in included xpdf

9

      Date: October 28, 2004

10

      Bugs: #68558, #68665, #68571

11

        ID: 200410-30

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

GPdf, KPDF and KOffice all include vulnerable xpdf code to handle PDF

19

files, making them vulnerable to execution of arbitrary code upon

20

viewing a malicious PDF file.

21

22

Background

23

==========

24

25

GPdf is a Gnome-based PDF viewer. KPDF, part of the kdegraphics

26

package, is a KDE-based PDF viewer. KOffice is an integrated office

27

suite for KDE.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package               /  Vulnerable  /                 Unaffected

34

    -------------------------------------------------------------------

35

  1  app-office/koffice       < 1.3.3-r1                   >= 1.3.3-r1

36

  2  app-text/gpdf            < 2.8.0-r1                   >= 2.8.0-r1

37

                                                          *>= 0.132-r1

38

  3  kde-base/kdegraphics     < 3.3.1-r1                   >= 3.3.1-r1

39

                                                          *>= 3.3.0-r1

40

                                                          *>= 3.2.3-r1

41

    -------------------------------------------------------------------

42

     3 affected packages on all of their supported architectures.

43

    -------------------------------------------------------------------

44

45

Description

46

===========

47

48

GPdf, KPDF and KOffice all include xpdf code to handle PDF files. xpdf

49

is vulnerable to multiple integer overflows, as described in GLSA

50

200410-20.

51

52

Impact

53

======

54

55

An attacker could entice a user to open a specially-crafted PDF file,

56

potentially resulting in execution of arbitrary code with the rights of

57

the user running the affected utility.

58

59

Workaround

60

==========

61

62

There is no known workaround at this time.

63

64

Resolution

65

==========

66

67

All GPdf users should upgrade to the latest version:

68

69

    # emerge --sync

70

    # emerge --ask --oneshot --verbose ">=app-text/gpdf-0.132-r1"

71

72

All KDE users should upgrade to the latest version of kdegraphics:

73

74

    # emerge --sync

75

    # emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.3.0-r1"

76

77

All KOffice users should upgrade to the latest version:

78

79

    # emerge --sync

80

    # emerge --ask --oneshot --verbose ">=app-office/koffice-1.3.3-r1"

81

82

References

83

==========

84

85

  [ 1 ] GLSA 200410-20

86

        http://www.gentoo.org/security/en/glsa/glsa-200410-20.xml

87

  [ 2 ] CAN-2004-0888

88

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888

89

  [ 3 ] CAN-2004-0889

90

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0889

91

92

Availability

93

============

94

95

This GLSA and any updates to it are available for viewing at

96

the Gentoo Security Website:

97

98

  http://security.gentoo.org/glsa/glsa-200410-30.xml

99

100

Concerns?

101

=========

102

103

Security is a primary focus of Gentoo Linux and ensuring the

104

confidentiality and security of our users machines is of utmost

105

importance to us. Any security concerns should be addressed to

106

security@g.o or alternatively, you may file a bug at

107

http://bugs.gentoo.org.

108

109

License

110

=======

111

112

Copyright 2004 Gentoo Foundation, Inc; referenced text

113

belongs to its owner(s).

114

115

The contents of this document are licensed under the

116

Creative Commons - Attribution / Share Alike license.

117

118

http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200410-30
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: GPdf, KPDF, KOffice: Vulnerabilities in included xpdf
9	Date: October 28, 2004
10	Bugs: #68558, #68665, #68571
11	ID: 200410-30
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	GPdf, KPDF and KOffice all include vulnerable xpdf code to handle PDF
19	files, making them vulnerable to execution of arbitrary code upon
20	viewing a malicious PDF file.
21
22	Background
23	==========
24
25	GPdf is a Gnome-based PDF viewer. KPDF, part of the kdegraphics
26	package, is a KDE-based PDF viewer. KOffice is an integrated office
27	suite for KDE.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 app-office/koffice < 1.3.3-r1 >= 1.3.3-r1
36	2 app-text/gpdf < 2.8.0-r1 >= 2.8.0-r1
37	*>= 0.132-r1
38	3 kde-base/kdegraphics < 3.3.1-r1 >= 3.3.1-r1
39	*>= 3.3.0-r1
40	*>= 3.2.3-r1
41	-------------------------------------------------------------------
42	3 affected packages on all of their supported architectures.
43	-------------------------------------------------------------------
44
45	Description
46	===========
47
48	GPdf, KPDF and KOffice all include xpdf code to handle PDF files. xpdf
49	is vulnerable to multiple integer overflows, as described in GLSA
50	200410-20.
51
52	Impact
53	======
54
55	An attacker could entice a user to open a specially-crafted PDF file,
56	potentially resulting in execution of arbitrary code with the rights of
57	the user running the affected utility.
58
59	Workaround
60	==========
61
62	There is no known workaround at this time.
63
64	Resolution
65	==========
66
67	All GPdf users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=app-text/gpdf-0.132-r1"
71
72	All KDE users should upgrade to the latest version of kdegraphics:
73
74	# emerge --sync
75	# emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.3.0-r1"
76
77	All KOffice users should upgrade to the latest version:
78
79	# emerge --sync
80	# emerge --ask --oneshot --verbose ">=app-office/koffice-1.3.3-r1"
81
82	References
83	==========
84
85	[ 1 ] GLSA 200410-20
86	http://www.gentoo.org/security/en/glsa/glsa-200410-20.xml
87	[ 2 ] CAN-2004-0888
88	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888
89	[ 3 ] CAN-2004-0889
90	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0889
91
92	Availability
93	============
94
95	This GLSA and any updates to it are available for viewing at
96	the Gentoo Security Website:
97
98	http://security.gentoo.org/glsa/glsa-200410-30.xml
99
100	Concerns?
101	=========
102
103	Security is a primary focus of Gentoo Linux and ensuring the
104	confidentiality and security of our users machines is of utmost
105	importance to us. Any security concerns should be addressed to
106	security@g.o or alternatively, you may file a bug at
107	http://bugs.gentoo.org.
108
109	License
110	=======
111
112	Copyright 2004 Gentoo Foundation, Inc; referenced text
113	belongs to its owner(s).
114
115	The contents of this document are licensed under the
116	Creative Commons - Attribution / Share Alike license.
117
118	http://creativecommons.org/licenses/by-sa/1.0