Bug#322458: marked as done (CAN-2005-2097: DoS vulnerability through PDFs with crafted loca tables)

[Debian Bug Tracking System]

Your message dated Tue, 30 Aug 2005 07:32:07 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#322458: fixed in kdegraphics 4:3.4.2-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Aug 2005 19:00:29 +0000
>From [EMAIL PROTECTED] Wed Aug 10 12:00:29 2005
Return-path: <[EMAIL PROTECTED]>
Received: from ip0.serverflex.de (vserver151.vserver151.serverflex.de) 
[193.22.164.111] 
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1E2voT-0003UP-00; Wed, 10 Aug 2005 12:00:29 -0700
Received: from dsl-084-059-130-018.arcor-ip.net ([84.59.130.18] 
helo=localhost.localdomain)
        by vserver151.vserver151.serverflex.de with esmtpsa 
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1E2voQ-0000Hl-Ny
        for [EMAIL PROTECTED]; Wed, 10 Aug 2005 21:00:26 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.52)
        id 1E2voq-0001SS-Lv; Wed, 10 Aug 2005 21:00:52 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: CAN-2005-2097: DoS vulnerability through PDFs with crafted loca tables
X-Mailer: reportbug 3.15
Date: Wed, 10 Aug 2005 21:00:52 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 84.59.130.18
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond 
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: kpdf
Severity: important
Tags: security patch

A DoS vulnerability has been found in xpdf that affects the kpdf
of the soon to be uploaded 3.4.1 packages:

| kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains
| a vulnerability that causes it to write a file in $TMPDIR with
| almost infinite size, which can severly impact system performance.

Please see this URL for details and a patch:
http://www.kde.org/info/security/advisory-20050809-1.txt

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

---------------------------------------
Received: (at 322458-close) by bugs.debian.org; 30 Aug 2005 14:38:52 +0000
>From [EMAIL PROTECTED] Tue Aug 30 07:38:52 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
        id 1EA79j-0001ls-00; Tue, 30 Aug 2005 07:32:07 -0700
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#322458: fixed in kdegraphics 4:3.4.2-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 30 Aug 2005 07:32:07 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

Source: kdegraphics
Source-Version: 4:3.4.2-1

We believe that the bug you reported is fixed in the latest version of
kdegraphics, which is due to be installed in the Debian FTP archive:

kamera_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kamera_3.4.2-1_i386.deb
kcoloredit_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kcoloredit_3.4.2-1_i386.deb
kdegraphics-dev_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kdegraphics-dev_3.4.2-1_i386.deb
kdegraphics-doc-html_3.4.2-1_all.deb
  to pool/main/k/kdegraphics/kdegraphics-doc-html_3.4.2-1_all.deb
kdegraphics-kfile-plugins_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kdegraphics-kfile-plugins_3.4.2-1_i386.deb
kdegraphics_3.4.2-1.diff.gz
  to pool/main/k/kdegraphics/kdegraphics_3.4.2-1.diff.gz
kdegraphics_3.4.2-1.dsc
  to pool/main/k/kdegraphics/kdegraphics_3.4.2-1.dsc
kdegraphics_3.4.2-1_all.deb
  to pool/main/k/kdegraphics/kdegraphics_3.4.2-1_all.deb
kdegraphics_3.4.2.orig.tar.gz
  to pool/main/k/kdegraphics/kdegraphics_3.4.2.orig.tar.gz
kdvi_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kdvi_3.4.2-1_i386.deb
kfax_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kfax_3.4.2-1_i386.deb
kgamma_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kgamma_3.4.2-1_i386.deb
kghostview_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kghostview_3.4.2-1_i386.deb
kiconedit_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kiconedit_3.4.2-1_i386.deb
kmrml_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kmrml_3.4.2-1_i386.deb
kolourpaint_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kolourpaint_3.4.2-1_i386.deb
kooka_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kooka_3.4.2-1_i386.deb
kpdf_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kpdf_3.4.2-1_i386.deb
kpovmodeler_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kpovmodeler_3.4.2-1_i386.deb
kruler_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kruler_3.4.2-1_i386.deb
ksnapshot_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/ksnapshot_3.4.2-1_i386.deb
ksvg_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/ksvg_3.4.2-1_i386.deb
kuickshow_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kuickshow_3.4.2-1_i386.deb
kview_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kview_3.4.2-1_i386.deb
kviewshell_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/kviewshell_3.4.2-1_i386.deb
libkscan-dev_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/libkscan-dev_3.4.2-1_i386.deb
libkscan1_3.4.2-1_i386.deb
  to pool/main/k/kdegraphics/libkscan1_3.4.2-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated 
kdegraphics package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 30 Aug 2005 13:30:37 +0200
Source: kdegraphics
Binary: kdegraphics-kfile-plugins ksnapshot kviewshell kghostview libkscan-dev 
kruler kcoloredit kamera kdegraphics-dev libkscan1 kview kdegraphics-doc-html 
kpdf ksvg kdvi kiconedit kfax kuickshow kooka kdegraphics kolourpaint kmrml 
kgamma kpovmodeler
Architecture: source i386 all
Version: 4:3.4.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description: 
 kamera     - digital camera io_slave for Konquerer
 kcoloredit - a color palette editor and color picker for KDE
 kdegraphics - graphics apps from the official KDE release
 kdegraphics-dev - development files for the KDE graphics module
 kdegraphics-doc-html - KDE graphics documentation in HTML format
 kdegraphics-kfile-plugins - KDE metainfo plugins for graphic files
 kdvi       - dvi viewer for KDE
 kfax       - G3/G4 fax viewer for KDE
 kgamma     - gamma correction module for the KDE Control Center
 kghostview - PostScript viewer for KDE
 kiconedit  - an icon editor for KDE
 kmrml      - a Konqueror plugin for searching pictures
 kolourpaint - a simple paint program for KDE
 kooka      - scanner program for KDE
 kpdf       - PDF viewer for KDE
 kpovmodeler - a graphical editor for povray scenes
 kruler     - a screen ruler and color measurement tool for KDE
 ksnapshot  - screenshot utility for KDE
 ksvg       - SVG viewer for KDE
 kuickshow  - KDE image/slideshow viewer
 kview      - simple image viewer/converter for KDE
 kviewshell - generic framework for viewer applications in KDE
 libkscan-dev - development files for the KDE scanner library
 libkscan1  - scanner library for KDE
Closes: 287007 322458
Changes: 
 kdegraphics (4:3.4.2-1) unstable; urgency=low
 .
   * New upstream release.
 .
   * Bugs reported in the Debian BTS fixed by this release:
 .
     - kpdf temp file writing DoS vulnerability, closes: #322458
     - FTBFS in amd64 with gcc4, closes: #287007
 .
   +++ Changes by Christopher Martin:
 .
   * Remove 07_xlibs-static-pic.diff and the xlibs-static-pic build-dependency,
     and add a build-dependency on libxxf86vm-dev, for the X.Org transition.
Files: 
 12f5d01ccfe8ccf8f95dcebf635d0964 1428 kde optional kdegraphics_3.4.2-1.dsc
 0116dd38ec4df585119b07f0a6d36633 8122589 kde optional 
kdegraphics_3.4.2.orig.tar.gz
 5eb5f6e092970327dbdde0605d1e6071 236040 kde optional 
kdegraphics_3.4.2-1.diff.gz
 640407d12013eb443d0777ac5f878857 17668 kde optional kdegraphics_3.4.2-1_all.deb
 cee1cd0c00c66a15206454f0072ba4cc 142812 doc optional 
kdegraphics-doc-html_3.4.2-1_all.deb
 77c5a78bd15103bc55788b8b33c481a1 84900 graphics optional 
kamera_3.4.2-1_i386.deb
 5d9b316e3578cdc9ccb66e9ac196c5ef 99410 graphics optional 
kcoloredit_3.4.2-1_i386.deb
 d4084b5c17b9f99a7c04b45947156700 65784 devel optional 
kdegraphics-dev_3.4.2-1_i386.deb
 963e04920ffcdabd3016742f93410765 222930 kde optional 
kdegraphics-kfile-plugins_3.4.2-1_i386.deb
 6e31f1a92b8bf7ce16bd374499276299 509418 graphics optional kdvi_3.4.2-1_i386.deb
 36a112a30cbee2ccae4b0a5f1fda6c68 148220 graphics optional kfax_3.4.2-1_i386.deb
 e0c804c7f7bbd4989d082d0ef27ff547 76722 graphics optional 
kgamma_3.4.2-1_i386.deb
 cee3421a25bbeba4c174bb91cb48adee 226892 graphics optional 
kghostview_3.4.2-1_i386.deb
 b38509d7e08b6d1737ce89af3b7d9f44 138724 graphics optional 
kiconedit_3.4.2-1_i386.deb
 7887e9bb1b553194f6801cca4359b1da 214334 kde optional kmrml_3.4.2-1_i386.deb
 c2735313b7d5193d8e084718371e100a 774418 graphics optional 
kolourpaint_3.4.2-1_i386.deb
 467a063dd1c866ae8ab5efce86c1f6ee 752080 graphics optional 
kooka_3.4.2-1_i386.deb
 7ee78bd425681cb94ce5a1ec1efd6f3d 620806 graphics optional kpdf_3.4.2-1_i386.deb
 aad11dd5ae1ae37caedccc5b40ec5a82 2172638 graphics optional 
kpovmodeler_3.4.2-1_i386.deb
 a8585e8e96b63d12822cdad38e50f8d0 63638 graphics optional 
kruler_3.4.2-1_i386.deb
 f9bf06ab5f55f176f2ea27f054447e26 141192 graphics optional 
ksnapshot_3.4.2-1_i386.deb
 6903d4637b77b1a91995817cbf240bfb 1199618 graphics optional 
ksvg_3.4.2-1_i386.deb
 4ea4f1c973da23bd394e09eb56370d6d 470066 graphics optional 
kuickshow_3.4.2-1_i386.deb
 0f266e3647744060cccec1b9d683b7e8 655460 graphics optional 
kview_3.4.2-1_i386.deb
 0bc99505b270e4144b8842fc48cc0b44 245274 graphics optional 
kviewshell_3.4.2-1_i386.deb
 0a977ea28d33542cc027f65b62cdb33f 17498 libdevel optional 
libkscan-dev_3.4.2-1_i386.deb
 a312d401c7b9efbe855f4fb3d5c91f51 128728 libs optional 
libkscan1_3.4.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Signed by Isaac Clerencia <[EMAIL PROTECTED]>

iD8DBQFDFGvoQET2GFTmct4RAuBaAJsEK3o9ul1+cuAzqbpalCvMXGyfFACgrTQr
HeUfcdBSfLYnOp0bt1rh/dU=
=0rem
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]