Bug#450630: marked as done (CVE-2007-4352, CVE-2007-5392, CVE-2007-5393 multiple vulnerabilities leading to arbitrary code execution)

[Debian Bug Tracking System]

Your message dated Mon, 12 Nov 2007 05:22:12 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#450630: fixed in kdegraphics 4:3.5.8-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: kdegraphics
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for poppler.

CVE-2007-4352[0]:
| Array index error in the DCTStream::readProgressiveDataUnit method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote
| attackers to trigger memory corruption and execute arbitrary code via
| a crafted PDF file.

CVE-2007-5392[1]:
| Integer overflow in the DCTStream::reset method in
| xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows
| remote attackers to execute arbitrary code via a crafted PDF
| file, resulting in a heap-based buffer overflow.

CVE-2007-5393[2]:
| Heap-based buffer overflow in the CCITTFaxStream::lookChar
| method in xpdf/Stream.cc in Xpdf 3.02 with
| xpdf-3.02pl1.patch allows remote attackers to execute
| arbitrary code via a PDF file that contains a crafted
| CCITTFaxDecode filter.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

pgpJRhSzazStv.pgp
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: kdegraphics
Source-Version: 4:3.5.8-2

We believe that the bug you reported is fixed in the latest version of
kdegraphics, which is due to be installed in the Debian FTP archive:

kamera_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kamera_3.5.8-2_amd64.deb
kcoloredit_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kcoloredit_3.5.8-2_amd64.deb
kdegraphics-dbg_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kdegraphics-dbg_3.5.8-2_amd64.deb
kdegraphics-dev_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kdegraphics-dev_3.5.8-2_amd64.deb
kdegraphics-doc-html_3.5.8-2_all.deb
  to pool/main/k/kdegraphics/kdegraphics-doc-html_3.5.8-2_all.deb
kdegraphics-kfile-plugins_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kdegraphics-kfile-plugins_3.5.8-2_amd64.deb
kdegraphics_3.5.8-2.diff.gz
  to pool/main/k/kdegraphics/kdegraphics_3.5.8-2.diff.gz
kdegraphics_3.5.8-2.dsc
  to pool/main/k/kdegraphics/kdegraphics_3.5.8-2.dsc
kdegraphics_3.5.8-2_all.deb
  to pool/main/k/kdegraphics/kdegraphics_3.5.8-2_all.deb
kdvi_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kdvi_3.5.8-2_amd64.deb
kfax_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kfax_3.5.8-2_amd64.deb
kfaxview_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kfaxview_3.5.8-2_amd64.deb
kgamma_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kgamma_3.5.8-2_amd64.deb
kghostview_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kghostview_3.5.8-2_amd64.deb
kiconedit_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kiconedit_3.5.8-2_amd64.deb
kmrml_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kmrml_3.5.8-2_amd64.deb
kolourpaint_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kolourpaint_3.5.8-2_amd64.deb
kooka_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kooka_3.5.8-2_amd64.deb
kpdf_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kpdf_3.5.8-2_amd64.deb
kpovmodeler_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kpovmodeler_3.5.8-2_amd64.deb
kruler_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kruler_3.5.8-2_amd64.deb
ksnapshot_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/ksnapshot_3.5.8-2_amd64.deb
ksvg_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/ksvg_3.5.8-2_amd64.deb
kuickshow_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kuickshow_3.5.8-2_amd64.deb
kview_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kview_3.5.8-2_amd64.deb
kviewshell_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/kviewshell_3.5.8-2_amd64.deb
libkscan-dev_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/libkscan-dev_3.5.8-2_amd64.deb
libkscan1_3.5.8-2_amd64.deb
  to pool/main/k/kdegraphics/libkscan1_3.5.8-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ana Beatriz Guerrero Lopez <[EMAIL PROTECTED]> (supplier of updated kdegraphics 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 11 Nov 2007 19:50:13 +0100
Source: kdegraphics
Binary: kdegraphics-kfile-plugins ksnapshot kviewshell kghostview libkscan-dev 
kruler kcoloredit kamera kdegraphics-dev libkscan1 kdegraphics-dbg kview 
kdegraphics-doc-html kpdf ksvg kdvi kiconedit kfax kfaxview kuickshow kooka 
kdegraphics kolourpaint kmrml kgamma kpovmodeler
Architecture: source amd64 all
Version: 4:3.5.8-2
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <[EMAIL PROTECTED]>
Changed-By: Ana Beatriz Guerrero Lopez <[EMAIL PROTECTED]>
Description: 
 kamera     - digital camera io_slave for Konqueror
 kcoloredit - a color palette editor and color picker for KDE
 kdegraphics - graphics apps from the official KDE release
 kdegraphics-dbg - debugging symbols for kdegraphics
 kdegraphics-dev - development files for the KDE graphics module
 kdegraphics-doc-html - KDE graphics documentation in HTML format
 kdegraphics-kfile-plugins - KDE metainfo plugins for graphic files
 kdvi       - dvi viewer for KDE
 kfax       - G3/G4 fax viewer for KDE
 kfaxview   - G3/G4 fax viewer for KDE using kviewshell
 kgamma     - gamma correction module for the KDE Control Center
 kghostview - PostScript viewer for KDE
 kiconedit  - an icon editor for KDE
 kmrml      - a Konqueror plugin for searching pictures
 kolourpaint - a simple paint program for KDE
 kooka      - scanner program for KDE
 kpdf       - PDF viewer for KDE
 kpovmodeler - a graphical editor for povray scenes
 kruler     - a screen ruler and color measurement tool for KDE
 ksnapshot  - screenshot utility for KDE
 ksvg       - SVG viewer for KDE
 kuickshow  - KDE image/slideshow viewer
 kview      - simple image viewer/converter for KDE
 kviewshell - generic framework for viewer applications in KDE
 libkscan-dev - development files for the KDE scanner library
 libkscan1  - scanner library for KDE
Closes: 448254 450630
Changes: 
 kdegraphics (4:3.5.8-2) unstable; urgency=low
 .
   * Patch to multiple xpdf based vulnerabilities. (Closes: #450630)
     CVE-2007-4352, CVE-2007-5392, CVE-2007-5393.
   * Make kdegrahpics binNMU safe. Thanks Lior! (Closes: #448254)
Files: 
 3c18542dfb6f03f60c59614b51b2770d 1464 kde optional kdegraphics_3.5.8-2.dsc
 a249fef3fe0dfccb0819943cd592fc77 468097 kde optional 
kdegraphics_3.5.8-2.diff.gz
 4c9d6485d529779b72354d0af502b6ba 12340 kde optional kdegraphics_3.5.8-2_all.deb
 b80420cf057f18758b231293f873339d 150356 doc optional 
kdegraphics-doc-html_3.5.8-2_all.deb
 e0da3d034bbda42937c7417231556a56 88530 graphics optional 
kamera_3.5.8-2_amd64.deb
 b090e770f35151561299e279693bb952 105104 graphics optional 
kcoloredit_3.5.8-2_amd64.deb
 4a4bc974cb0693d57625555e4ce935fa 94844 devel optional 
kdegraphics-dev_3.5.8-2_amd64.deb
 196dfd3ab018f2536310a965a53debb1 301020 kde optional 
kdegraphics-kfile-plugins_3.5.8-2_amd64.deb
 99289abd746ded7ff9b9c7a746735cd2 539354 graphics optional 
kdvi_3.5.8-2_amd64.deb
 6f7d392006a131edb165b163e1585f83 144510 graphics optional 
kfax_3.5.8-2_amd64.deb
 4f11496f3527cfcf712ee00fdfc1991f 108902 graphics optional 
kfaxview_3.5.8-2_amd64.deb
 9b556db7f5c8693162020e311f2bd710 74848 graphics optional 
kgamma_3.5.8-2_amd64.deb
 8d684a509db573c6c3a1434cdae43514 241750 graphics optional 
kghostview_3.5.8-2_amd64.deb
 33ad43e9aa949146aa062c2169e08616 179636 graphics optional 
kiconedit_3.5.8-2_amd64.deb
 466bbeab496ec4e29fa9c2735e6fb884 242908 kde optional kmrml_3.5.8-2_amd64.deb
 fbb5593aaf041408832b780dda15998c 1100234 graphics optional 
kolourpaint_3.5.8-2_amd64.deb
 82a90b1bedee16e2708acb81c99b31f5 766418 graphics optional 
kooka_3.5.8-2_amd64.deb
 a398fa8b784b2ebfffb7d7e2042aa865 882154 graphics optional 
kpdf_3.5.8-2_amd64.deb
 0f8b34ce284193a095ba2fe41e220fad 2342618 graphics optional 
kpovmodeler_3.5.8-2_amd64.deb
 75ea24d0527851a66356dd838f1f0480 62724 graphics optional 
kruler_3.5.8-2_amd64.deb
 25e08df76d239f7622cb084c5e33e714 170678 graphics optional 
ksnapshot_3.5.8-2_amd64.deb
 6190a062c1e18d5ab2b12421aa1f2be3 1290232 graphics optional 
ksvg_3.5.8-2_amd64.deb
 9476b7d49cb50c28708d97aedb400f3d 496586 graphics optional 
kuickshow_3.5.8-2_amd64.deb
 11f17f4d164a4103e13c269d3ee1a5b1 421532 graphics optional 
kview_3.5.8-2_amd64.deb
 7c11edfb75fdaee475c9277eb9a84178 851830 graphics optional 
kviewshell_3.5.8-2_amd64.deb
 51a561a89f71f50ab51e9f5168dddd3b 12162 libdevel optional 
libkscan-dev_3.5.8-2_amd64.deb
 327d4adaf33aafcc464c61acd2836dfb 141556 libs optional 
libkscan1_3.5.8-2_amd64.deb
 c771659a1c344f6e92bb7261621de4a6 25955554 libdevel extra 
kdegraphics-dbg_3.5.8-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Ana Guerrero

iD8DBQFHN2MMn3j4POjENGERApXxAJ99fWsKPANkx7NM5ztJ7c+4Xkeq6QCfRLIz
FKb9bExz/BKjWTGLye8CDA0=
=ZkOF
-----END PGP SIGNATURE-----

--- End Message ---