Bug#303238: kpdf fix for CAN-2005-0064 (bug 291251) was incomplete

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#303238: kpdf fix for CAN-2005-0064 (bug 291251) was incomplete
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 05 Apr 2005 17:02:39 +0200
Message-id: <E1DIpZf-00048q-GD@localhost.localdomain>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 303238@bugs.debian.org

Package: kpdf
Version: 4:3.3.2-1
Severity: grave
Tags: security patch
Justification: user security hole

Dear KDE maintainers,
the security fix for CAN-2005-0064 was derived from xpdf 3.00-12, which
in fact turned out to be incomplete wrt to a missing range check in XRef.cc.
Attached you can find a patch that adds the missing range verification, as
it has been done for xpdf 3.00-13.

Cheers,
        Moritz
 
-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)

diff -Naur kdegraphics-3.3.2.orig/kpdf/xpdf/XRef.cc kdegraphics-3.3.2/kpdf/xpdf/XRef.cc
--- kdegraphics-3.3.2.orig/kpdf/xpdf/XRef.cc	2004-11-28 14:30:57.000000000 +0100
+++ kdegraphics-3.3.2/kpdf/xpdf/XRef.cc	2005-04-05 16:05:04.000000000 +0200
@@ -820,6 +820,9 @@
 	} else {
 	  keyLength = 5;
 	}
+	if (keyLength > 16) {
+	  keyLength = 16;
+	}
 	permFlags = permissions.getInt();
 	if (encVersion >= 1 && encVersion <= 2 &&
 	    encRevision >= 2 && encRevision <= 3) {

Reply to:

Follow-Ups:
- Bug#303238: marked as done (kpdf fix for CAN-2005-0064 (bug 291251) was incomplete)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#303138: kmail: Trying to use / character in folder names makes odd error message.
Next by Date: Bug#303244: kleopatra: configure crash
Previous by thread: Bug#297908: marked as done (kmail should depend on procmail)
Next by thread: Bug#303238: marked as done (kpdf fix for CAN-2005-0064 (bug 291251) was incomplete)
Index(es):
- Date
- Thread