Bug 62730 (CVE-2004-0889)

<!-- SBZ_reproduce  -->
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Gentoo Linux Security Advisory                           GLSA 200410-30 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
                                            http://security.gentoo.org/ 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 
  Severity: Normal 
     Title: GPdf, KPDF, KOffice: Vulnerabilities in included xpdf 
      Date: October 28, 2004 
      Bugs: #68558, #68665, #68571 
        ID: 200410-30 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 
Synopsis 
======== 
 
GPdf, KPDF and KOffice all include vulnerable xpdf code to handle PDF 
files, making them vulnerable to execution of arbitrary code upon 
viewing a malicious PDF file. 
 
Background 
========== 
 
GPdf is a Gnome-based PDF viewer. KPDF, part of the kdegraphics 
package, is a KDE-based PDF viewer. KOffice is an integrated office 
suite for KDE.

koffice is maintained by Lukas 

KOffice 1.3.4 was supposed to fix this ... but failed :( There's currently a new
patch available, Thomas please review it.

See http://kde.org/areas/koffice/releases/1.3.4-release.php

Hmm, the redirection scripts on download.kde.org don't seem to work, here's a
direct link: ftp://ftp.kde.org/pub/kde/stable/koffice-1.3.4/src/patch/

Sorry, I was on vacation. 
 
The fix looks incomplete. 
 
Please have a look at bug 58082 comment #50 

I'll check if KOffice 1.3.5 contains the right fix

Hi Lukas, 
is there something you found out yet? 

It seems it is the right fix in KOffice 1.3.5; if in doubt please check for
yourself too :)

and now the euro 100 question ... can you provide updated packages  
for older suse versions? :) 

Raising the bar to 200 Euro, just another xpdf vulnerability appeared:

http://kde.org/areas/koffice/releases/1.3.5-release.php

On Jan 3, I'll be back from vacation, update koffice and backport.

Committed a fix to STABLE, working on 9.2 backport

Backported to 9.2 

we also need the fix for #49840 

OK, it's been already applied to KOffice's CVS, will take it

http://www.kde.org/info/security/advisory-20050120-1.txt 

CAN-2004-0888, CAN-2004-0889, CAN-2004-1125, CAN-2005-0064 

 SM-Tracker-221 

Created attachment 27906 [details]
patchinfo-box.koffice

Created attachment 27907 [details]
patchinfo.koffice

Lukas, 
when can we expect the new packages? 

Working on it, took some more time due to KOffice not compiling and other duties.

We are far behind other distributors with releasing koffice now. 
Some bugs are older then 4 month now. :( 
 
Do you see a possibility to speed this update up? 

Yes, I could commit without test-compiling but my old poor 500Mhz Intel III
can't work any faster than this... :(

Can't you use faster machine in the suse network? 

Fixed package submitted to STABLE, backport?

Yes of course. 

Lukas, 
do you need some help doing the updates? We are far far behind other vendors. 

packages are submitted now. 

submitted patchinfos (corrected). 

There are patches missing. koffice has xpdf2 which has more than two security 
patches applied. According to xpdf2 from 8.2 you may need all of the following 
patches. At least the libgoo patch is definitely missing from the koffice 
package: 
 
xpdf-2.01-overflow.patch 
xpdf-CESA-2004-007-xpdf2.diff 
xpdf2-underflow.diff 
libgoo-sizet.diff 
xpdf-3.00pl2.patch 
xpdf-3.00pl3.patch 

adrian did the koffice updates... 

just add it to the next xpdf update. 
 
updates released. 

CVE-2004-0889: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)