[VIM] Xpdf/kpdf mess

Steven M. Christey coley at linus.mitre.org
Fri Jan 6 11:50:13 EST 2006


Even I don't have the details yet, although the later CANs all came from
the same numbering authority, so they are likely distinct at least
according to CVE's content decisions.  I'll have to see.

On Fri, 6 Jan 2006, security curmudgeon wrote:

>
> http://www.kde.org/info/security/advisory-20051207-1.txt
>          CAN-2005-3191
>          CAN-2005-3192
>          CAN-2005-3193
>
> Multiple overflows, seemed easy enough.
>
> http://www.kde.org/info/security/advisory-20051207-2.txt
>          CAN-2005-3191
>          CAN-2005-3192
>          CAN-2005-3193
>          CVE-2005-3624
>          CVE-2005-3625
>          CVE-2005-3626
>          CVE-2005-3627
>          CESA-2005-003
>
> Now, four more issues. CVE is closed currently, but even if they open i'm
> wondering how big of a mess this is. The original makes it sound like
> 'multiple overflows in xpdf', and kpdf shares a lot of the code. However,
> checking the gentoo bugzilla, we see this may affect a lot more
> applications.
>
> http://bugs.gentoo.org/show_bug.cgi?id=117481
>
>    Opening separate bugs for cups, poppler, gpdf.
>
>    Handling pdftohtml, tetex, pdff, kword on their respective bugs that are
>    still open.
>
>    kpdf and kword already silently patched in CVS.
>
>
> So we have: cups, poppler, gpdf, pdftohtml, tetex, pdff, kword, kpdf
>
> This makes it sound like an underlying library, or each utility shared the
> vulnerable code?
>


More information about the VIM mailing list