Gentoo Logo

KPdf, KWord: Multiple overflows in included Xpdf code

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200601-02 / kdegraphics, kpdf, koffice, kword
Release Date January 04, 2006
Latest Revision January 07, 2006: 03
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
kde-base/kdegraphics < 3.4.3-r3 >= 3.4.3-r3 All supported architectures
kde-base/kpdf < 3.4.3-r3 >= 3.4.3-r3 All supported architectures
app-office/koffice < 1.4.2-r6 >= 1.4.2-r6 All supported architectures
app-office/kword < 1.4.2-r6 >= 1.4.2-r6 All supported architectures

Related bugreports: #114429, #115851

Synopsis

KPdf and KWord both include vulnerable Xpdf code to handle PDF files, making them vulnerable to the execution of arbitrary code.

2.  Impact Information

Background

KPdf is a KDE-based PDF viewer included in the kdegraphics package. KWord is a KDE-based word processor also included in the koffice package.

Description

KPdf and KWord both include Xpdf code to handle PDF files. This Xpdf code is vulnerable to several heap overflows (GLSA 200512-08) as well as several buffer and integer overflows discovered by Chris Evans (CESA-2005-003).

Impact

An attacker could entice a user to open a specially crafted PDF file with Kpdf or KWord, potentially resulting in the execution of arbitrary code with the rights of the user running the affected application.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All kdegraphics users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.4.3-r3"

All Kpdf users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.4.3-r3"

All KOffice users should upgrade to the latest version:

Code Listing 3.3: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/koffice-1.4.2-r6"

All KWord users should upgrade to the latest version:

Code Listing 3.4: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/kword-1.4.2-r6"

4.  References



Print

Page updated January 04, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.