Hi, "infamous41md" discovered several heap based buffer overflows in xpdf, the Portable Document Format (PDF) suite, which is also present in koffice, the KDE Office Suite, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.
CVE IDs : CVE-2005-3191 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625
CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
I'm attachning the patch we're going to use for the update in sarge.
Please
. update the package in sid
. mention the CVE id from above in the changelog
. tell me the version number of the fixed package
. use urgency=high
Regards,
Joey
--
Never trust an operating system you don't have source for!
diff -u koffice-1.3.5/debian/changelog koffice-1.3.5/debian/changelog --- koffice-1.3.5/debian/changelog +++ koffice-1.3.5/debian/changelog @@ -1,3 +1,15 @@ +koffice (1:1.3.5-4.sarge.2) stable-security; urgency=high + + * Non-maintainer upload by the Security Team + * Applied patches by Derek Noonberg, Martin Pitt, Dirk Müller and + Ludwig Nussel to fix buffer overflows in the xpdf filter + [filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc, + filters/kword/pdf/xpdf/xpdf/Stream.cc, + filters/kword/pdf/xpdf/xpdf/Stream.h, CVE-2005-3191, CVE-2005-3193, + ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.01pl1.patch] + + -- Martin Schulze <[EMAIL PROTECTED]> Wed, 21 Dec 2005 10:30:53 +0100 + koffice (1:1.3.5-4.sarge.1) stable-security; urgency=high * Security upload. only in patch2: unchanged: --- koffice-1.3.5.orig/debian/patches/security_CVE-2005-3191.diff +++ koffice-1.3.5/debian/patches/security_CVE-2005-3191.diff @@ -0,0 +1,244 @@ +diff -u -p -Nr --exclude CVS koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc +--- koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc 2003-01-13 15:51:17.000000000 +0100 ++++ koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc 2005-12-21 10:22:50.000000000 +0100 +@@ -13,6 +13,7 @@ + #endif + + #include <stdlib.h> ++#include <limits.h> + #include "GList.h" + #include "Error.h" + #include "JBIG2Stream.h" +@@ -977,7 +978,14 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, + w = wA; + h = hA; + line = (wA + 7) >> 3; +- data = (Guchar *)gmalloc(h * line); ++ ++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) ++ data = NULL; ++ else { ++ // need to allocate one extra guard byte for use in combine() ++ data = (Guchar *)gmalloc(h * line + 1); ++ data[h * line] = 0; ++ } + } + + JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): +@@ -986,8 +994,15 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, + w = bitmap->w; + h = bitmap->h; + line = bitmap->line; +- data = (Guchar *)gmalloc(h * line); ++ ++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) { ++ data = NULL; ++ return; ++ } ++ ++ data = (Guchar *)gmalloc(h * line + 1); + memcpy(data, bitmap->data, h * line); ++ data[h * line] = 0; + } + + JBIG2Bitmap::~JBIG2Bitmap() { +@@ -1012,10 +1027,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint + } + + void JBIG2Bitmap::expand(int newH, Guint pixel) { +- if (newH <= h) { ++ if (newH <= h || line <= 0 || newH >= (INT_MAX-1) / line) { + return; + } +- data = (Guchar *)grealloc(data, newH * line); ++ data = (Guchar *)grealloc(data, newH * line + 1); + if (pixel) { + memset(data + h * line, 0xff, (newH - h) * line); + } else { +@@ -2505,6 +2520,16 @@ void JBIG2Stream::readHalftoneRegionSeg( + error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); + return; + } ++ ++ if (gridH == 0 || gridW >= INT_MAX / gridH) { ++ error(getPos(), "Bad size in JBIG2 halftone segment"); ++ return; ++ } ++ if (w == 0 || h >= INT_MAX / w) { ++ error(getPos(), "Bad size in JBIG2 bitmap segment"); ++ return; ++ } ++ + patternDict = (JBIG2PatternDict *)seg; + bpp = 0; + i = 1; +@@ -3078,6 +3103,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef + Guint ltpCX, cx, cx0, cx2, cx3, cx4, tpgrCX0, tpgrCX1, tpgrCX2; + int x, y, pix; + ++ if (w < 0 || h <= 0 || w >= INT_MAX / h) ++ return NULL; ++ + bitmap = new JBIG2Bitmap(0, w, h); + bitmap->clearToZero(); + +diff -u -p -Nr --exclude CVS koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/Stream.cc koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/Stream.cc +--- koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/Stream.cc 2003-01-13 15:51:17.000000000 +0100 ++++ koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/Stream.cc 2005-12-21 10:23:03.000000000 +0100 +@@ -15,6 +15,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <stddef.h> ++#include <limits.h> + #ifndef WIN32 + #include <unistd.h> + #endif +@@ -404,18 +405,41 @@ void ImageStream::skipLine() { + + StreamPredictor::StreamPredictor(Stream *strA, int predictorA, + int widthA, int nCompsA, int nBitsA) { ++ int totalBits; ++ + str = strA; + predictor = predictorA; + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps >= INT_MAX/nBits || ++ width >= INT_MAX/nComps/nBits) { ++ return; ++ } + nVals = width * nComps; ++ if (nVals + 7 <= 0) { ++ return; ++ } ++ totalBits = nVals * nBits; ++ if (totalBits == 0 || ++ (totalBits / nBits) / nComps != width || ++ totalBits + 7 < 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; +- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ rowBytes = ((totalBits + 7) >> 3) + pixBytes; ++ if (rowBytes < 0) { ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +@@ -982,6 +1006,10 @@ LZWStream::LZWStream(Stream *strA, int p + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +@@ -1227,6 +1255,12 @@ CCITTFaxStream::CCITTFaxStream(Stream *s + endOfLine = endOfLineA; + byteAlign = byteAlignA; + columns = columnsA; ++ ++ if (columns + 4 < 1 || (columns + 4) >= INT_MAX / sizeof(short)) { ++ error(getPos(), "Bad number of columns in CCITTFaxStream"); ++ exit(1); ++ } ++ + rows = rowsA; + endOfBlock = endOfBlockA; + black = blackA; +@@ -2861,6 +2895,11 @@ GBool DCTStream::readBaselineSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream", prec); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2887,6 +2926,11 @@ GBool DCTStream::readProgressiveSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2909,6 +2953,11 @@ GBool DCTStream::readScanInfo() { + + length = read16() - 2; + scanInfo.numComps = str->getChar(); ++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { ++ scanInfo.numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + --length; + if (length != 2 * scanInfo.numComps + 3) { + error(getPos(), "Bad DCT scan info block"); +@@ -2976,12 +3025,12 @@ GBool DCTStream::readHuffmanTables() { + while (length > 0) { + index = str->getChar(); + --length; +- if ((index & 0x0f) >= 4) { ++ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { + error(getPos(), "Bad DCT Huffman table"); + return gFalse; + } + if (index & 0x10) { +- index &= 0x0f; ++ index &= 0x03; + if (index >= numACHuffTables) + numACHuffTables = index+1; + tbl = &acHuffTables[index]; +@@ -3179,6 +3228,10 @@ FlateStream::FlateStream(Stream *strA, i + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +diff -u -p -Nr --exclude CVS koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/Stream.h koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/Stream.h +--- koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/Stream.h 2003-07-01 00:13:04.000000000 +0200 ++++ koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/Stream.h 2005-12-21 10:23:03.000000000 +0100 +@@ -225,6 +225,8 @@ public: + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +@@ -242,6 +244,7 @@ private: + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; + }; + + //------------------------------------------------------------------------
signature.asc
Description: Digital signature
