From security@mandriva.com Sat Jan 7 12:20:16 2006 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Fri, 06 Jan 2006 16:09:01 -0700 Subject: [Full-disclosure] MDKSA-2006:008 - Updated koffice packages fix several vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:008 http://www.mandriva.com/security/ _______________________________________________________________________ Package : koffice Date : January 6, 2006 Affected: 2006.0 _______________________________________________________________________ Problem Description: Multiple heap-based buffer overflows in the DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier, allow user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with an out-of-range number of components (numComps), which is used as an array index. (CVE-2005-3191) Heap-based buffer overflow in the StreamPredictor function in Xpdf 3.01 allows remote attackers to execute arbitrary code via a PDF file with an out-of-range numComps (number of components) field. (CVE-2005-3192) Heap-based buffer overflow in the JPXStream::readCodestream function in the JPX stream parsing code (JPXStream.c) for xpdf 3.01 and earlier allows user-complicit attackers to cause a denial of service (heap corruption) and possibly execute arbitrary code via a crafted PDF file with large size values that cause insufficient memory to be allocated. (CVE-2005-3193) An additional patch re-addresses memory allocation routines in goo/gmem.c (Martin Pitt/Canonical, Dirk Mueller/KDE). In addition, Chris Evans discovered several other vulnerbilities in the xpdf code base: Out-of-bounds heap accesses with large or negative parameters to "FlateDecode" stream. (CVE-2005-3192) Out-of-bounds heap accesses with large or negative parameters to "CCITTFaxDecode" stream. (CVE-2005-3624) Infinite CPU spins in various places when stream ends unexpectedly. (CVE-2005-3625) NULL pointer crash in the "FlateDecode" stream. (CVE-2005-3626) Overflows of compInfo array in "DCTDecode" stream. (CVE-2005-3627) Possible to use index past end of array in "DCTDecode" stream. (CVE-2005-3627) Possible out-of-bounds indexing trouble in "DCTDecode" stream. (CVE-2005-3627) Koffice uses an embedded copy of the xpdf code, with the same vulnerabilities. The updated packages have been patched to correct these problems. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 5decbf029bf4482d1f93ea0df446121f 2006.0/RPMS/koffice-1.4.2-11.2.20060mdk.i586.rpm 2aca3ec22b051466aeb57c82b26d12aa 2006.0/RPMS/koffice-karbon-1.4.2-11.2.20060mdk.i586.rpm f39b2a5a7ef35a0f579a0055b1c429c4 2006.0/RPMS/koffice-kexi-1.4.2-11.2.20060mdk.i586.rpm caab0530fcfcf10ec5913e7b101541c6 2006.0/RPMS/koffice-kformula-1.4.2-11.2.20060mdk.i586.rpm 0a3732921e20069fd3b5cbac8c4733a9 2006.0/RPMS/koffice-kivio-1.4.2-11.2.20060mdk.i586.rpm e4d711f1487f3716f19527950bb64283 2006.0/RPMS/koffice-koshell-1.4.2-11.2.20060mdk.i586.rpm f5013764806edfcf9a31503b613459a2 2006.0/RPMS/koffice-kpresenter-1.4.2-11.2.20060mdk.i586.rpm 668a7eb653da4db18b2e1c9daefb7e94 2006.0/RPMS/koffice-krita-1.4.2-11.2.20060mdk.i586.rpm ebb18a9011e702f01718c4c2b4d759e1 2006.0/RPMS/koffice-kspread-1.4.2-11.2.20060mdk.i586.rpm 89a8d46e5768595584fcdbe307add521 2006.0/RPMS/koffice-kugar-1.4.2-11.2.20060mdk.i586.rpm 1e9b58585bf742239b210e8519ed0d8f 2006.0/RPMS/koffice-kword-1.4.2-11.2.20060mdk.i586.rpm e5e19df847dc2693066a922f73b42c50 2006.0/RPMS/koffice-progs-1.4.2-11.2.20060mdk.i586.rpm fa63274a949dd60692888f515606f079 2006.0/RPMS/libkoffice2-karbon-1.4.2-11.2.20060mdk.i586.rpm 8bedc58288b05ffb3134c07b7d46a118 2006.0/RPMS/libkoffice2-karbon-devel-1.4.2-11.2.20060mdk.i586.rpm 681887908face81c17a37ca00d6c6022 2006.0/RPMS/libkoffice2-kexi-1.4.2-11.2.20060mdk.i586.rpm eab5ad72e95f108b923f3bf32bbe10f5 2006.0/RPMS/libkoffice2-kexi-devel-1.4.2-11.2.20060mdk.i586.rpm 7e4b3718e863d0f66f2b7daca2a25f83 2006.0/RPMS/libkoffice2-kformula-1.4.2-11.2.20060mdk.i586.rpm bad0d716230bad4a9fe0ae27017b0ef7 2006.0/RPMS/libkoffice2-kformula-devel-1.4.2-11.2.20060mdk.i586.rpm 077a3368bef791e1105ba82e41424847 2006.0/RPMS/libkoffice2-kivio-1.4.2-11.2.20060mdk.i586.rpm 8091986d4999e3a702db1139c4cd1ac1 2006.0/RPMS/libkoffice2-kivio-devel-1.4.2-11.2.20060mdk.i586.rpm 74eee88d1cafaab8ff4bbbe9717a0e6c 2006.0/RPMS/libkoffice2-koshell-1.4.2-11.2.20060mdk.i586.rpm 25524a101fb458bfa15bf56706f1d02d 2006.0/RPMS/libkoffice2-kpresenter-1.4.2-11.2.20060mdk.i586.rpm e37ecf1e3aa338df37fa210aaf7822dd 2006.0/RPMS/libkoffice2-krita-1.4.2-11.2.20060mdk.i586.rpm cb1a07a6c9da09e6db6a506d8875daf8 2006.0/RPMS/libkoffice2-krita-devel-1.4.2-11.2.20060mdk.i586.rpm d1594075f9152ac891bb1bf2c3348770 2006.0/RPMS/libkoffice2-kspread-1.4.2-11.2.20060mdk.i586.rpm 5f026461f8fba599df483bbaefcf8b23 2006.0/RPMS/libkoffice2-kspread-devel-1.4.2-11.2.20060mdk.i586.rpm 897cbd506eb32b4cfecd6d4430cf217a 2006.0/RPMS/libkoffice2-kugar-1.4.2-11.2.20060mdk.i586.rpm 7f4a36c89f799e2f6bf19e1bd9264f89 2006.0/RPMS/libkoffice2-kugar-devel-1.4.2-11.2.20060mdk.i586.rpm 3fe5da8dc83ca866d6ae3a2eb21ff0f0 2006.0/RPMS/libkoffice2-kword-1.4.2-11.2.20060mdk.i586.rpm 242ea66e5928964417859b1a26b665f8 2006.0/RPMS/libkoffice2-kword-devel-1.4.2-11.2.20060mdk.i586.rpm 264f937ee2f1678245d3786fb449a1e5 2006.0/RPMS/libkoffice2-progs-1.4.2-11.2.20060mdk.i586.rpm 6fc8f4494593692a215e6ace8bfc1112 2006.0/RPMS/libkoffice2-progs-devel-1.4.2-11.2.20060mdk.i586.rpm d1aa09f80b3e57ecfd60f0a7e263094a 2006.0/SRPMS/koffice-1.4.2-11.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 895d2918a4723f99eb839c4d27306406 x86_64/2006.0/RPMS/koffice-1.4.2-11.2.20060mdk.x86_64.rpm e24e0e322dfe02f73c5d1b0571158cf2 x86_64/2006.0/RPMS/koffice-karbon-1.4.2-11.2.20060mdk.x86_64.rpm e22a93254fd15c0a7b672a1c6bcb91a0 x86_64/2006.0/RPMS/koffice-kexi-1.4.2-11.2.20060mdk.x86_64.rpm 39dcd78e2747823f30364a789a7d1193 x86_64/2006.0/RPMS/koffice-kformula-1.4.2-11.2.20060mdk.x86_64.rpm c726114646f5fe94121cc2e48a4647b5 x86_64/2006.0/RPMS/koffice-kivio-1.4.2-11.2.20060mdk.x86_64.rpm bfcdebd6ced8553c1a7eb6ea1ffddbb9 x86_64/2006.0/RPMS/koffice-koshell-1.4.2-11.2.20060mdk.x86_64.rpm 5f4d36c6c03dec33f6f88346fe1c8c11 x86_64/2006.0/RPMS/koffice-kpresenter-1.4.2-11.2.20060mdk.x86_64.rpm 515f8db1ae75c28717a7ed8b7475278f x86_64/2006.0/RPMS/koffice-krita-1.4.2-11.2.20060mdk.x86_64.rpm 4cfe74acd379f314f6ff2845920b64b7 x86_64/2006.0/RPMS/koffice-kspread-1.4.2-11.2.20060mdk.x86_64.rpm 6ec357843424d14fadbd457e49fc3c34 x86_64/2006.0/RPMS/koffice-kugar-1.4.2-11.2.20060mdk.x86_64.rpm ac0a4544be03c14981d165c83dd0893e x86_64/2006.0/RPMS/koffice-kword-1.4.2-11.2.20060mdk.x86_64.rpm 1a6ddfd8cdde5c9fc9c23fa58e55a7e2 x86_64/2006.0/RPMS/koffice-progs-1.4.2-11.2.20060mdk.x86_64.rpm 9bf5725e0a5b369653bd579c6be151e6 x86_64/2006.0/RPMS/lib64koffice2-karbon-1.4.2-11.2.20060mdk.x86_64.rpm bb80a747c3ba10682967664d58d5a3dc x86_64/2006.0/RPMS/lib64koffice2-karbon-devel-1.4.2-11.2.20060mdk.x86_64.rpm 8f7003b51389274cec77c0eaa4f620a1 x86_64/2006.0/RPMS/lib64koffice2-kexi-1.4.2-11.2.20060mdk.x86_64.rpm b0058d2ffe854eb0fc7f6d3694b2cf0c x86_64/2006.0/RPMS/lib64koffice2-kexi-devel-1.4.2-11.2.20060mdk.x86_64.rpm 0c2dfe7985b8d29b11fb6d5f3bc5f187 x86_64/2006.0/RPMS/lib64koffice2-kformula-1.4.2-11.2.20060mdk.x86_64.rpm fe64e075b725f2003ad4b3b75e633815 x86_64/2006.0/RPMS/lib64koffice2-kformula-devel-1.4.2-11.2.20060mdk.x86_64.rpm 1ce7238b2d8494313df1f71cb5ab45ee x86_64/2006.0/RPMS/lib64koffice2-kivio-1.4.2-11.2.20060mdk.x86_64.rpm 4a64f4ef06c4404f7d77685d195c11ba x86_64/2006.0/RPMS/lib64koffice2-kivio-devel-1.4.2-11.2.20060mdk.x86_64.rpm 92fea6a7449391fc2c35e02044d03e83 x86_64/2006.0/RPMS/lib64koffice2-koshell-1.4.2-11.2.20060mdk.x86_64.rpm a99e683d8c5585df998d5735d4c01f7d x86_64/2006.0/RPMS/lib64koffice2-kpresenter-1.4.2-11.2.20060mdk.x86_64.rpm 5f19278c29cf6656d9a56ef39f14d145 x86_64/2006.0/RPMS/lib64koffice2-krita-1.4.2-11.2.20060mdk.x86_64.rpm 930b637523e583344c0303844496e768 x86_64/2006.0/RPMS/lib64koffice2-krita-devel-1.4.2-11.2.20060mdk.x86_64.rpm 880b0863b0c0f0ddcde22207abac3164 x86_64/2006.0/RPMS/lib64koffice2-kspread-1.4.2-11.2.20060mdk.x86_64.rpm cd0b2c995b2ef8c9f90dbb35349b1b95 x86_64/2006.0/RPMS/lib64koffice2-kspread-devel-1.4.2-11.2.20060mdk.x86_64.rpm d4fa15a626d04a31222c596e9b0781a3 x86_64/2006.0/RPMS/lib64koffice2-kugar-1.4.2-11.2.20060mdk.x86_64.rpm 0562292a610452f83c5070791aeac977 x86_64/2006.0/RPMS/lib64koffice2-kugar-devel-1.4.2-11.2.20060mdk.x86_64.rpm ecc6a0c00d8c9160400db4c1698a918e x86_64/2006.0/RPMS/lib64koffice2-kword-1.4.2-11.2.20060mdk.x86_64.rpm 0b87a74b84ed37b1d95e5a61247bbe39 x86_64/2006.0/RPMS/lib64koffice2-kword-devel-1.4.2-11.2.20060mdk.x86_64.rpm 5935898f0e48d386a8f50d1be0f39e62 x86_64/2006.0/RPMS/lib64koffice2-progs-1.4.2-11.2.20060mdk.x86_64.rpm f96c5fd8d1e3366a3bef48ef49d52559 x86_64/2006.0/RPMS/lib64koffice2-progs-devel-1.4.2-11.2.20060mdk.x86_64.rpm d1aa09f80b3e57ecfd60f0a7e263094a x86_64/2006.0/SRPMS/koffice-1.4.2-11.2.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDvs3umqjQ0CJFipgRAsQWAKDhkKglUv6U7HiqveMCZl+UYqSnKQCfRF1P VZDGDCNSiLOLUNqpi69LYE8= =ZQ9V -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/