MDKSA-2006:008

Package name

koffice

Date

2006-01-06

Advisory ID

MDKSA-2006:008

Affected versions

2006.0 i586 , 2006.0 x86_64

Problem description

Multiple heap-based buffer overflows in the
DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions
in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier,
allow user-complicit attackers to cause a denial of service (heap
corruption) and possibly execute arbitrary code via a crafted PDF file
with an out-of-range number of components (numComps), which is used as
an array index. (CVE-2005-3191)

Heap-based buffer overflow in the StreamPredictor function in Xpdf 3.01
allows remote attackers to execute arbitrary code via a PDF file with
an out-of-range numComps (number of components) field. (CVE-2005-3192)

Heap-based buffer overflow in the JPXStream::readCodestream function
in the JPX stream parsing code (JPXStream.c) for xpdf 3.01 and earlier
allows user-complicit attackers to cause a denial of service (heap
corruption) and possibly execute arbitrary code via a crafted PDF file
with large size values that cause insufficient memory to be allocated.
(CVE-2005-3193)

An additional patch re-addresses memory allocation routines in
goo/gmem.c (Martin Pitt/Canonical, Dirk Mueller/KDE).

In addition, Chris Evans discovered several other vulnerabilities in
the xpdf code base:

Out-of-bounds heap accesses with large or negative parameters to
"FlateDecode" stream. (CVE-2005-3192)

Out-of-bounds heap accesses with large or negative parameters to
"CCITTFaxDecode" stream. (CVE-2005-3624)

Infinite CPU spins in various places when stream ends unexpectedly.
(CVE-2005-3625)

NULL pointer crash in the "FlateDecode" stream. (CVE-2005-3626)

Overflows of compInfo array in "DCTDecode" stream. (CVE-2005-3627)

Possible to use index past end of array in "DCTDecode" stream.
(CVE-2005-3627)

Possible out-of-bounds indexing trouble in "DCTDecode" stream.
(CVE-2005-3627)

Koffice uses an embedded copy of the xpdf code, with the same
vulnerabilities.

The updated packages have been patched to correct these problems.

Updated packages

2006.0 i586

 5decbf029bf4482d1f93ea0df446121f  2006.0/RPMS/koffice-1.4.2-11.2.20060mdk.i586.rpm
 2aca3ec22b051466aeb57c82b26d12aa  2006.0/RPMS/koffice-karbon-1.4.2-11.2.20060mdk.i586.rpm
 f39b2a5a7ef35a0f579a0055b1c429c4  2006.0/RPMS/koffice-kexi-1.4.2-11.2.20060mdk.i586.rpm
 caab0530fcfcf10ec5913e7b101541c6  2006.0/RPMS/koffice-kformula-1.4.2-11.2.20060mdk.i586.rpm
 0a3732921e20069fd3b5cbac8c4733a9  2006.0/RPMS/koffice-kivio-1.4.2-11.2.20060mdk.i586.rpm
 e4d711f1487f3716f19527950bb64283  2006.0/RPMS/koffice-koshell-1.4.2-11.2.20060mdk.i586.rpm
 f5013764806edfcf9a31503b613459a2  2006.0/RPMS/koffice-kpresenter-1.4.2-11.2.20060mdk.i586.rpm
 668a7eb653da4db18b2e1c9daefb7e94  2006.0/RPMS/koffice-krita-1.4.2-11.2.20060mdk.i586.rpm
 ebb18a9011e702f01718c4c2b4d759e1  2006.0/RPMS/koffice-kspread-1.4.2-11.2.20060mdk.i586.rpm
 89a8d46e5768595584fcdbe307add521  2006.0/RPMS/koffice-kugar-1.4.2-11.2.20060mdk.i586.rpm
 1e9b58585bf742239b210e8519ed0d8f  2006.0/RPMS/koffice-kword-1.4.2-11.2.20060mdk.i586.rpm
 e5e19df847dc2693066a922f73b42c50  2006.0/RPMS/koffice-progs-1.4.2-11.2.20060mdk.i586.rpm
 fa63274a949dd60692888f515606f079  2006.0/RPMS/libkoffice2-karbon-1.4.2-11.2.20060mdk.i586.rpm
 8bedc58288b05ffb3134c07b7d46a118  2006.0/RPMS/libkoffice2-karbon-devel-1.4.2-11.2.20060mdk.i586.rpm
 681887908face81c17a37ca00d6c6022  2006.0/RPMS/libkoffice2-kexi-1.4.2-11.2.20060mdk.i586.rpm
 eab5ad72e95f108b923f3bf32bbe10f5  2006.0/RPMS/libkoffice2-kexi-devel-1.4.2-11.2.20060mdk.i586.rpm
 7e4b3718e863d0f66f2b7daca2a25f83  2006.0/RPMS/libkoffice2-kformula-1.4.2-11.2.20060mdk.i586.rpm
 bad0d716230bad4a9fe0ae27017b0ef7  2006.0/RPMS/libkoffice2-kformula-devel-1.4.2-11.2.20060mdk.i586.rpm
 077a3368bef791e1105ba82e41424847  2006.0/RPMS/libkoffice2-kivio-1.4.2-11.2.20060mdk.i586.rpm
 8091986d4999e3a702db1139c4cd1ac1  2006.0/RPMS/libkoffice2-kivio-devel-1.4.2-11.2.20060mdk.i586.rpm
 74eee88d1cafaab8ff4bbbe9717a0e6c  2006.0/RPMS/libkoffice2-koshell-1.4.2-11.2.20060mdk.i586.rpm
 25524a101fb458bfa15bf56706f1d02d  2006.0/RPMS/libkoffice2-kpresenter-1.4.2-11.2.20060mdk.i586.rpm
 e37ecf1e3aa338df37fa210aaf7822dd  2006.0/RPMS/libkoffice2-krita-1.4.2-11.2.20060mdk.i586.rpm
 cb1a07a6c9da09e6db6a506d8875daf8  2006.0/RPMS/libkoffice2-krita-devel-1.4.2-11.2.20060mdk.i586.rpm
 d1594075f9152ac891bb1bf2c3348770  2006.0/RPMS/libkoffice2-kspread-1.4.2-11.2.20060mdk.i586.rpm
 5f026461f8fba599df483bbaefcf8b23  2006.0/RPMS/libkoffice2-kspread-devel-1.4.2-11.2.20060mdk.i586.rpm
 897cbd506eb32b4cfecd6d4430cf217a  2006.0/RPMS/libkoffice2-kugar-1.4.2-11.2.20060mdk.i586.rpm
 7f4a36c89f799e2f6bf19e1bd9264f89  2006.0/RPMS/libkoffice2-kugar-devel-1.4.2-11.2.20060mdk.i586.rpm
 3fe5da8dc83ca866d6ae3a2eb21ff0f0  2006.0/RPMS/libkoffice2-kword-1.4.2-11.2.20060mdk.i586.rpm
 242ea66e5928964417859b1a26b665f8  2006.0/RPMS/libkoffice2-kword-devel-1.4.2-11.2.20060mdk.i586.rpm
 264f937ee2f1678245d3786fb449a1e5  2006.0/RPMS/libkoffice2-progs-1.4.2-11.2.20060mdk.i586.rpm
 6fc8f4494593692a215e6ace8bfc1112  2006.0/RPMS/libkoffice2-progs-devel-1.4.2-11.2.20060mdk.i586.rpm
 d1aa09f80b3e57ecfd60f0a7e263094a  2006.0/SRPMS/koffice-1.4.2-11.2.20060mdk.src.rpm

2006.0 x86_64

 895d2918a4723f99eb839c4d27306406  x86_64/2006.0/RPMS/koffice-1.4.2-11.2.20060mdk.x86_64.rpm
 e24e0e322dfe02f73c5d1b0571158cf2  x86_64/2006.0/RPMS/koffice-karbon-1.4.2-11.2.20060mdk.x86_64.rpm
 e22a93254fd15c0a7b672a1c6bcb91a0  x86_64/2006.0/RPMS/koffice-kexi-1.4.2-11.2.20060mdk.x86_64.rpm
 39dcd78e2747823f30364a789a7d1193  x86_64/2006.0/RPMS/koffice-kformula-1.4.2-11.2.20060mdk.x86_64.rpm
 c726114646f5fe94121cc2e48a4647b5  x86_64/2006.0/RPMS/koffice-kivio-1.4.2-11.2.20060mdk.x86_64.rpm
 bfcdebd6ced8553c1a7eb6ea1ffddbb9  x86_64/2006.0/RPMS/koffice-koshell-1.4.2-11.2.20060mdk.x86_64.rpm
 5f4d36c6c03dec33f6f88346fe1c8c11  x86_64/2006.0/RPMS/koffice-kpresenter-1.4.2-11.2.20060mdk.x86_64.rpm
 515f8db1ae75c28717a7ed8b7475278f  x86_64/2006.0/RPMS/koffice-krita-1.4.2-11.2.20060mdk.x86_64.rpm
 4cfe74acd379f314f6ff2845920b64b7  x86_64/2006.0/RPMS/koffice-kspread-1.4.2-11.2.20060mdk.x86_64.rpm
 6ec357843424d14fadbd457e49fc3c34  x86_64/2006.0/RPMS/koffice-kugar-1.4.2-11.2.20060mdk.x86_64.rpm
 ac0a4544be03c14981d165c83dd0893e  x86_64/2006.0/RPMS/koffice-kword-1.4.2-11.2.20060mdk.x86_64.rpm
 1a6ddfd8cdde5c9fc9c23fa58e55a7e2  x86_64/2006.0/RPMS/koffice-progs-1.4.2-11.2.20060mdk.x86_64.rpm
 9bf5725e0a5b369653bd579c6be151e6  x86_64/2006.0/RPMS/lib64koffice2-karbon-1.4.2-11.2.20060mdk.x86_64.rpm
 bb80a747c3ba10682967664d58d5a3dc  x86_64/2006.0/RPMS/lib64koffice2-karbon-devel-1.4.2-11.2.20060mdk.x86_64.rpm
 8f7003b51389274cec77c0eaa4f620a1  x86_64/2006.0/RPMS/lib64koffice2-kexi-1.4.2-11.2.20060mdk.x86_64.rpm
 b0058d2ffe854eb0fc7f6d3694b2cf0c  x86_64/2006.0/RPMS/lib64koffice2-kexi-devel-1.4.2-11.2.20060mdk.x86_64.rpm
 0c2dfe7985b8d29b11fb6d5f3bc5f187  x86_64/2006.0/RPMS/lib64koffice2-kformula-1.4.2-11.2.20060mdk.x86_64.rpm
 fe64e075b725f2003ad4b3b75e633815  x86_64/2006.0/RPMS/lib64koffice2-kformula-devel-1.4.2-11.2.20060mdk.x86_64.rpm
 1ce7238b2d8494313df1f71cb5ab45ee  x86_64/2006.0/RPMS/lib64koffice2-kivio-1.4.2-11.2.20060mdk.x86_64.rpm
 4a64f4ef06c4404f7d77685d195c11ba  x86_64/2006.0/RPMS/lib64koffice2-kivio-devel-1.4.2-11.2.20060mdk.x86_64.rpm
 92fea6a7449391fc2c35e02044d03e83  x86_64/2006.0/RPMS/lib64koffice2-koshell-1.4.2-11.2.20060mdk.x86_64.rpm
 a99e683d8c5585df998d5735d4c01f7d  x86_64/2006.0/RPMS/lib64koffice2-kpresenter-1.4.2-11.2.20060mdk.x86_64.rpm
 5f19278c29cf6656d9a56ef39f14d145  x86_64/2006.0/RPMS/lib64koffice2-krita-1.4.2-11.2.20060mdk.x86_64.rpm
 930b637523e583344c0303844496e768  x86_64/2006.0/RPMS/lib64koffice2-krita-devel-1.4.2-11.2.20060mdk.x86_64.rpm
 880b0863b0c0f0ddcde22207abac3164  x86_64/2006.0/RPMS/lib64koffice2-kspread-1.4.2-11.2.20060mdk.x86_64.rpm
 cd0b2c995b2ef8c9f90dbb35349b1b95  x86_64/2006.0/RPMS/lib64koffice2-kspread-devel-1.4.2-11.2.20060mdk.x86_64.rpm
 d4fa15a626d04a31222c596e9b0781a3  x86_64/2006.0/RPMS/lib64koffice2-kugar-1.4.2-11.2.20060mdk.x86_64.rpm
 0562292a610452f83c5070791aeac977  x86_64/2006.0/RPMS/lib64koffice2-kugar-devel-1.4.2-11.2.20060mdk.x86_64.rpm
 ecc6a0c00d8c9160400db4c1698a918e  x86_64/2006.0/RPMS/lib64koffice2-kword-1.4.2-11.2.20060mdk.x86_64.rpm
 0b87a74b84ed37b1d95e5a61247bbe39  x86_64/2006.0/RPMS/lib64koffice2-kword-devel-1.4.2-11.2.20060mdk.x86_64.rpm
 5935898f0e48d386a8f50d1be0f39e62  x86_64/2006.0/RPMS/lib64koffice2-progs-1.4.2-11.2.20060mdk.x86_64.rpm
 f96c5fd8d1e3366a3bef48ef49d52559  x86_64/2006.0/RPMS/lib64koffice2-progs-devel-1.4.2-11.2.20060mdk.x86_64.rpm
 d1aa09f80b3e57ecfd60f0a7e263094a  x86_64/2006.0/SRPMS/koffice-1.4.2-11.2.20060mdk.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191