KPdf includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to the execution of arbitrary code.
Background
==========
KPdf is a KDE-based PDF viewer included in the kdegraphics package.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 kde-base/kdegraphics < 3.4.3-r4 >= 3.4.3-r4
2 kde-base/kpdf < 3.4.3-r4 >= 3.4.3-r4
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
KPdf includes Xpdf code to handle PDF files. Dirk Mueller discovered
that the Xpdf code is vulnerable a heap based overflow in the splash
rasterizer engine.
Impact
======
An attacker could entice a user to open a specially crafted PDF file
with Kpdf, potentially resulting in the execution of arbitrary code
with the rights of the user running the affected application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All kdegraphics users should upgrade to the latest version:
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
Gentoo Linux Security Advisory GLSA 200602-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: KPdf: Heap based overflow
Date: February 12, 2006
Bugs: #121375
ID: 200602-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
KPdf includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to the execution of arbitrary code.
Background
==========
KPdf is a KDE-based PDF viewer included in the kdegraphics package.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 kde-base/kdegraphics < 3.4.3-r4 >= 3.4.3-r4
2 kde-base/kpdf < 3.4.3-r4 >= 3.4.3-r4
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
KPdf includes Xpdf code to handle PDF files. Dirk Mueller discovered
that the Xpdf code is vulnerable a heap based overflow in the splash
rasterizer engine.
Impact
======
An attacker could entice a user to open a specially crafted PDF file
with Kpdf, potentially resulting in the execution of arbitrary code
with the rights of the user running the affected application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All kdegraphics users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.4.3-r4"
All Kpdf users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.4.3-r4"
References
==========
[ 1 ] CVE-2006-0301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301
[ 2 ] KDE Security Advisory: kpdf/xpdf heap based buffer overflow
http://www.kde.org/info/security/advisory-20060202-1.txt
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200602-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFD73NTvcL1obalX08RAi2MAJ9RgTR2QC8e7p/G3iNby0KK2IKLPwCgp5Dl
SU9C8b2SCxE2hNC2KNXw8hY=
=EuQV
-----END PGP SIGNATURE-----
[ reply ]