From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1793-1
[email protected] http://www.debian.org/security/ Noah Meyerhans
May 06, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : kdegraphics
Vulnerability : multiple
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2009-0146 CVE-2009-0147 CVE-2009-0165
CVE-2009-0166 CVE-2009-0799 CVE-2009-0800
CVE-2009-1179 CVE-2009-1180 CVE-2009-1181
CVE-2009-1182 CVE-2009-1183
Debian Bug : 524810
kpdf, a Portable Document Format (PDF) viewer for KDE, is based on the
xpdf program and thus suffers from similar flaws to those described in DSA-1790.
The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2009-0146
Multiple buffer overflows in the JBIG2 decoder in kpdf allow
remote attackers to cause a denial of service (crash) via a
crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and
(2) JBIG2Stream::readSymbolDictSeg.
CVE-2009-0147
Multiple integer overflows in the JBIG2 decoder in kpdf allow
remote attackers to cause a denial of service (crash) via a
crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg,
(2) JBIG2Stream::readSymbolDictSeg, and (3)
JBIG2Stream::readGenericBitmap.
CVE-2009-0165
Integer overflow in the JBIG2 decoder in kpdf has unspecified
impact related to "g*allocn."
CVE-2009-0166
The JBIG2 decoder in kpdf allows remote attackers to cause a
denial of service (crash) via a crafted PDF file that triggers a
free of uninitialized memory.
CVE-2009-0799
The JBIG2 decoder in kpdf allows remote attackers to cause a
denial of service (crash) via a crafted PDF file that triggers an
out-of-bounds read.
CVE-2009-0800
Multiple "input validation flaws" in the JBIG2 decoder in kpdf
allow remote attackers to execute arbitrary code via a crafted PDF
file.
CVE-2009-1179
Integer overflow in the JBIG2 decoder in kpdf allows remote
attackers to execute arbitrary code via a crafted PDF file.
CVE-2009-1180
The JBIG2 decoder in kpdf allows remote attackers to execute
arbitrary code via a crafted PDF file that triggers a free of
invalid data.
CVE-2009-1181
The JBIG2 decoder in kpdf allows remote attackers to cause a
denial of service (crash) via a crafted PDF file that triggers a
NULL pointer dereference.
CVE-2009-1182
Multiple buffer overflows in the JBIG2 MMR decoder in kpdf allow
remote attackers to execute arbitrary code via a crafted PDF file.
CVE-2009-1183
The JBIG2 MMR decoder in kpdf allows remote attackers to cause a
denial of service (infinite loop and hang) via a crafted PDF file.
We recommend that you upgrade your kdegraphics packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.5.5-3etch3.diff.gz
Size/MD5 checksum: 432182 2053275597413021f87e328af7f43d0f
http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.5.5-3etch3.dsc
Size/MD5 checksum: 1536 57806c433333025933014631c41e518a
http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.5.5.orig.tar.gz
Size/MD5 checksum: 9012930 944e16dde53ffdb8c25a90d951a9d223
Architecture independent packages:
http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics-doc-html_3.5.5-3etch3_all.deb
Size/MD5 checksum: 156348 10d47436c7ad315663e54f5bef6956fe
http://security.debian.org/pool/updates/main/k/kdegraphics/kdegraphics_3.5.5-3etch3_all.deb
Size/MD5 checksum: 19940 c4a51eb3d3eaf0de3e401e66d77093dd
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/k/kdegraphics/kgamma_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 82940 279fe5e4b03666f881f1a9d53fc49be9
http://security.debian.org/pool/updates/main/k/kdegraphics/kiconedit_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 198562 ee1af15d9d521f7508eda61000500330
http://security.debian.org/pool/updates/main/k/kdegraphics/kpdf_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 856558 319b936aa8bbf8b2e7f38b16871d504c
http://security.debian.org/pool/updates/main/k/kdegraphics/kooka_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 780850 34e264cffbc7acec902cd985c1580d82
http://security.debian.org/pool/updates/main/k/kdegraphics/kolourpaint_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 1146416 948e35d1a8c6a39b63ad036c8ac4807b
http://security.debian.org/pool/updates/main/k/kdegraphics/kfaxview_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 114074 a9ac69d9ffbdcc89146f990b16fcdc81
http://security.debian.org/pool/updates/main/k/kdegraphics/kuickshow_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 509372 cb5a8055bc0af7cbf33566d8147330fc
http://security.debian.org/pool/updates/main/k/kdegraphics/kmrml_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 251380 4503f766d0a0fba671df9c45b632d6e6
http://security.debian.org/pool/updates/main/k/kdegraphics/kghostview_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 255340 9b7321ad4b356ce7024bf9044c3ac0e0
http://security.debian.org/pool/updates/main/k/kdegraphics/kviewshell_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 887210 61802ba3026c338444c39e90daa2cfc8
http://security.debian.org/pool/updates/main/k/kdegraphics/kfax_3.5.5-3etch3_alpha.deb
Size/MD5 checksum: 152524 fdca706a9c72c744347851b3b1dabab8
http://security.debian.org/pool/updates/main/k/kdegraphics/libkscan-dev_3.5.5-3etch3_alpha.deb
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)