|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200601-02] KPdf, KWord: Multiple overflows in included Xpdf code Vulnerability Scan
Vulnerability Scan Summary KPdf, KWord: Multiple overflows in included Xpdf code
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200601-02
(KPdf, KWord: Multiple overflows in included Xpdf code)
KPdf and KWord both include Xpdf code to handle PDF files. This Xpdf
code is vulnerable to several heap overflows (GLSA 200512-08) as well
as several buffer and integer overflows discovered by Chris Evans
(CESA-2005-003).
Impact
A possible hacker could entice a user to open a specially crafted PDF file
with Kpdf or KWord, potentially resulting in the execution of arbitrary
code with the rights of the user running the affected application.
Workaround
There is no known workaround at this time.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628
http://www.gentoo.org/security/en/glsa/glsa-200512-08.xml
http://www.kde.org/info/security/advisory-20051207-2.txt
http://scary.beasts.org/security/CESA-2005-003.txt
Solution:
All kdegraphics users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kdegraphics-3.4.3-r3"
All Kpdf users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=kde-base/kpdf-3.4.3-r3"
All KOffice users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/koffice-1.4.2-r6"
All KWord users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-office/kword-1.4.2-r6"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|