Hi. On the heels of the recent xpdf/kpdf vulnerabilities, there is a
similar fix for koffice (which inherits some of the same code).
I'm building a fixed package for sarge ATM, to be uploaded to t-p-u.
I've already chatted about this with vorlon on irc, but the security
team has asked that I mail debian-release also, so here I am.
The fixed package version will be 1:1.3.2-1.sarge.2. I've attached the
full diff below -- it's the security fixes and nothing else. Please let
me know if there's anything else you need from me.
Ben.
diff -u koffice-1.3.2/debian/changelog koffice-1.3.2/debian/changelog
--- koffice-1.3.2/debian/changelog
+++ koffice-1.3.2/debian/changelog
@@ -1,3 +1,12 @@
+koffice (1:1.3.2-1.sarge.2) testing-proposed-updates; urgency=critical
+
+ * Security upload to testing-proposed-updates.
+ * Fixes integer overflows in KWord's PDF import filter. This patch forms
+ part of the KDE security advisory (2004-10-21, CAN-2004-0888) relating to
+ vulnerabilities inherited from the xpdf code.
+
+ -- Ben Burton <[EMAIL PROTECTED]> Mon, 25 Oct 2004 20:11:56 +1000
+
koffice (1:1.3.2-1.sarge.1) testing-proposed-updates; urgency=medium
* Uploaded to testing-proposed-updates, since the buildds for unstable
only in patch2:
unchanged:
--- koffice-1.3.2.orig/filters/kword/pdf/xpdf/xpdf/Catalog.cc
+++ koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/Catalog.cc
@@ -63,6 +63,12 @@
}
pagesSize = numPages0 = obj.getInt();
obj.free();
+ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
+ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ error(-1, "Invalid 'pagesSize'");
+ ok = gFalse;
+ return;
+ }
pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
for (i = 0; i < pagesSize; ++i) {
@@ -190,6 +196,11 @@
}
if (start >= pagesSize) {
pagesSize += 32;
+ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
+ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
for (j = pagesSize - 32; j < pagesSize; ++j) {
only in patch2:
unchanged:
--- koffice-1.3.2.orig/filters/kword/pdf/xpdf/xpdf/XRef.cc
+++ koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/XRef.cc
@@ -76,6 +76,12 @@
// trailer is ok - read the xref table
} else {
+ if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
+ error(-1, "Invalid 'size' inside xref table.");
+ ok = gFalse;
+ errCode = errDamaged;
+ return;
+ }
entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
for (i = 0; i < size; ++i) {
entries[i].offset = 0xffffffff;
@@ -267,6 +273,10 @@
// table size
if (first + n > size) {
newSize = size + 256;
+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ error(-1, "Invalid 'newSize'");
+ goto err2;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
entries[i].offset = 0xffffffff;
@@ -410,6 +420,10 @@
if (!strncmp(p, "obj", 3)) {
if (num >= size) {
newSize = (num + 1 + 255) & ~255;
+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
entries = (XRefEntry *)
grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -431,6 +445,11 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
+ if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
+
streamEnds = (Guint *)grealloc(streamEnds,
streamEndsSize * sizeof(int));
}
