[KDE Security Advisory] kpdf/xpdf heap based buffer overflow

0 views
Skip to first unread message

Dirk Mueller

unread,
Feb 2, 2006, 6:12:47 PM2/2/06
to kde-an...@kde.org, bug...@securityfocus.com

KDE Security Advisory: kpdf/xpdf heap based buffer overflow
Original Release Date: 2006-02-02
URL: http://www.kde.org/info/security/advisory-20060202-1.txt

0. References
CVE-2006-0301


1. Systems affected:

KDE 3.4.0 up to including KDE 3.5.1


2. Overview:

kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains
a heap based buffer overflow in the splash rasterizer engine
that can crash kpdf or even execute arbitrary code.


3. Impact:

Remotely supplied pdf files can be used to execute arbitrary
code on the client machine.


4. Solution:

Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.


5. Patch:

Patch for KDE 3.4.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches :

bc7dc2a5235f95a41fc1d7ab885899da
post-3.5.1-kdegraphics-CVE-2006-0301.diff

Patch for KDE 3.4.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches :

ebbce0a49537b694932b3c0efcf18261
post-3.4.3-kdegraphics-CVE-2006-0301.diff


Dirk Mueller

unread,
Feb 6, 2006, 11:39:46 AM2/6/06
to kde-an...@kde.org, bug...@securityfocus.com
On Friday 03 February 2006 00:12, Dirk Mueller wrote:

> 1. Systems affected:
>
> KDE 3.4.0 up to including KDE 3.5.1

Than Ngo notified me of an error in this advisory. KDE 3.3.x is also affected,
therefore I've updated the advisory that is online under
http://www.kde.org/info/security/advisory-20060202-1.txt
accordingly. The patch for KDE 3.4.x applies just fine.


--
Dirk//\

Reply all
Reply to author
Forward
0 new messages