KDE Security Advisory: KOffice PDF Import Filter Vulnerability

[Waldo Bastian <bastian@xxxxxxx>]

KDE Security Advisory: KOffice PDF Import Filter Vulnerability
Original Release Date: 2005-01-20
URL: http://www.kde.org/info/security/advisory-20050120-1.txt

0. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064
   http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities


1. Systems affected:

        KOffice 1.3 up to including KOffice 1.3.5


2. Overview:

        The KOffice PDF Import Filter shares code with xpdf. xpdf contains
        a buffer overflow that can be triggered by a specially crafted
        PDF file.


3. Impact:

        Remotely supplied pdf files can be used to execute arbitrary
        code on the client machine when the user opens such file in
        KOffice.


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patch for KOffice 1.3.5 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        0e6194cbfe3f6d3b3c848c2c76ef5bfb  post-1.3.5-koffice.diff


6. Time line and credits:

        19/01/2005 KDE Security Team alerted by Carsten Lohrke
        19/01/2005 Patches from xpdf 3.00pl3 applied to KDE CVS and patches
                   prepared. 
        20/01/2005 Public disclosure.


-- 
bastian@xxxxxxx   |   Free Novell Linux Desktop 9 Evaluation Download
bastian@xxxxxxxx  |   http://www.novell.com/products/desktop/eval.html

Attachment: pgp8JGohtV2eF.pgp
Description: PGP signature