[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 594/04 - ESB-2004.0677 -- KDE Security Advisory - kpdf integer overflows



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 594/04 dated 26.10.04  Time: 14:05  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

ESB-2004.0677 -- KDE Security Advisory - kpdf integer overflows

Detail
====== 

Chris Evans notified the KDE security team about multiple integer overflow and integer 
arithmetic flaws in xpdf 3.0. These flaws, if exploited, can cause xpdf (and therefore kpdf)
to hang using 100% CPU, crash the viewer or corrupt the program heap. It might be possible 
to execute arbitrary code. The Common Vulnerabilities and Exposures project assigned
CAN-2004-0889 to this issue.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             

                  ESB-2004.0677 -- KDE Security Advisory
                          kpdf integer overflows
                              26 October 2004

===========================================================================

        

Product:                kpdf
Publisher:              KDE
Operating System:       BSD variants
                        Linux variants
                        UNIX variants
Impact:                 Execute Arbitrary Code/Commands
                        Denial of Service
Access:                 Remote/Unauthenticated
CVE Names:              CAN-2004-0889 CAN-2004-0888

Ref:                    ESB-2004.0670

Original Bulletin URL:  http://www.kde.org/info/security/advisory-20041021-1.txt

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


KDE Security Advisory: kpdf integer overflows
Original Release Date: 2004-10-21
URL: http://www.kde.org/info/security/advisory-20041021-1.txt

0. References

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0889
        CESA-2004-002 - rev 1
        CESA-2004-007 - rev 1


1. Systems affected:

        All KDE 3.2.x releases, KDE 3.3.0 and KDE 3.3.1.


2. Overview:

        Chris Evans notified the KDE security team about multiple
        integer overflow and integer arithmetic flaws in xpdf 3.0.

        These flaws, if exploited, can cause xpdf (and therefore kpdf)
        to hang using 100% CPU, crash the viewer or corrupt the
        program heap. It might be possible to execute arbitrary code.
        The Common Vulnerabilities and Exposures project assigned
        CAN-2004-0889 to this issue.

        kpdf, the KDE pdf viewer, shares code with xpdf 2.02. This
        code is significantly different from the xpdf 3.0 codebase,
        but is also affected by similiar issues. Sebastian Krahmer
        from the SUSE security team developed a patch that corrects
        integer overflows in the XRef code. This patch is made
        available below for kpdf as shipped in the KDE 3.2.x
        releases. The Common Vulnerabilities and Exposures project
        assigned CAN-2004-0888 to this issue.

        KDE 3.3.1 contains a kpdf based on xpdf 3.0. We're providing
        a patch to fix the remaining integer overflows in this code
        base.


3. Impact:

        Remotely supplied pdf files can be used to execute arbitrary
        code on the client machine.


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patch for KDE 3.2.3 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        4f854adb507f4d04e997702e44ffc2ea  post-3.2.3-kdegraphics.diff

        Patch for KDE 3.3.1 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        651fba579516ea947fbefee373f40a6c  post-3.3.1-kdegraphics.diff


6. Time line and credits:

        01/09/2004 KDE Security Team alerted by Chris Evans
        08/09/2004 Chris Evans finds similiar issues in the xpdf 2.02 
                   codebase which is used by all released kpdf versions.
        24/09/2004 Patch to fix the found issues in xpdf 2.02 developed
                   by Sebastian Krahmer of SUSE security.
        12/10/2004 KDE 3.3.1 release upgrading kpdf to xpdf 3.0 codebase
        21/10/2004 Public disclosure


- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBeNjuvsXr+iuy1UoRAgXEAKCyqD9e6Il8jViYG8//uFHb/JU/fwCgh7LA
dz8kOMiHCZ0acisGJwLJSwc=
=zbH6
- - -----END PGP SIGNATURE-----

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQX2Pnih9+71yA2DNAQKp9wP/WqbwV7x54h3GmMaP4PvphOigjjXLpypt
xhqMwi0tB32fOXH5wflFzv3bjEljtPrQWXm35H4Q4IZvZ7eGx6CAmPChIDsaV9te
QUx6b7OYFTMU4ky2Bgf+FGf9jRAvAqWCZE5FAZxoLGYSFsNmDK19TO1bRqVk0Mcx
clVAya2b3mI=
=ZsCG
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of KDE for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQX5MMopao72zK539AQFfzQP+NUPFBoyx6NBbumtk8ITaw8moCnoIiYdd
cxhfwlXTEedU48K4DAYMLln0vFt94YaN/890nzFn5DKq8WpIfgJxILHEh9RCMpyq
iv95BDqeG5XIfRkRq63tv6VK66hDniwA/KXf1A0CN2erbUeoOfVlmTDcRgZO040w
Jq/PGLUQE7E=
=B5Zk
-----END PGP SIGNATURE-----