Your message dated Sat, 17 Nov 2007 07:32:07 +0000 with message-id <E1ItI9v-0003Jr-FE@ries.debian.org> and subject line Bug#450630: fixed in kdegraphics 4:3.5.7-4+lenny1 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: CVE-2007-4352, CVE-2007-5392, CVE-2007-5393 multiple vulnerabilities leading to arbitrary code execution
- From: Nico Golde <nion@debian.org>
- Date: Thu, 8 Nov 2007 18:29:22 +0100
- Message-id: <[🔎] 20071108172922.GA9986@ngolde.de>
Package: kdegraphics Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for poppler. CVE-2007-4352[0]: | Array index error in the DCTStream::readProgressiveDataUnit method in | xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote | attackers to trigger memory corruption and execute arbitrary code via | a crafted PDF file. CVE-2007-5392[1]: | Integer overflow in the DCTStream::reset method in | xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows | remote attackers to execute arbitrary code via a crafted PDF | file, resulting in a heap-based buffer overflow. CVE-2007-5393[2]: | Heap-based buffer overflow in the CCITTFaxStream::lookChar | method in xpdf/Stream.cc in Xpdf 3.02 with | xpdf-3.02pl1.patch allows remote attackers to execute | arbitrary code via a PDF file that contains a crafted | CCITTFaxDecode filter. If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393 Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.Attachment: pgpxiPPCIAmg_.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 450630-close@bugs.debian.org
- Subject: Bug#450630: fixed in kdegraphics 4:3.5.7-4+lenny1
- From: Nico Golde <nion@debian.org>
- Date: Sat, 17 Nov 2007 07:32:07 +0000
- Message-id: <E1ItI9v-0003Jr-FE@ries.debian.org>
Source: kdegraphics Source-Version: 4:3.5.7-4+lenny1 We believe that the bug you reported is fixed in the latest version of kdegraphics, which is due to be installed in the Debian FTP archive: kamera_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kamera_3.5.7-4+lenny1_i386.deb kcoloredit_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kcoloredit_3.5.7-4+lenny1_i386.deb kdegraphics-dbg_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kdegraphics-dbg_3.5.7-4+lenny1_i386.deb kdegraphics-dev_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kdegraphics-dev_3.5.7-4+lenny1_i386.deb kdegraphics-doc-html_3.5.7-4+lenny1_all.deb to pool/main/k/kdegraphics/kdegraphics-doc-html_3.5.7-4+lenny1_all.deb kdegraphics-kfile-plugins_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kdegraphics-kfile-plugins_3.5.7-4+lenny1_i386.deb kdegraphics_3.5.7-4+lenny1.diff.gz to pool/main/k/kdegraphics/kdegraphics_3.5.7-4+lenny1.diff.gz kdegraphics_3.5.7-4+lenny1.dsc to pool/main/k/kdegraphics/kdegraphics_3.5.7-4+lenny1.dsc kdegraphics_3.5.7-4+lenny1_all.deb to pool/main/k/kdegraphics/kdegraphics_3.5.7-4+lenny1_all.deb kdvi_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kdvi_3.5.7-4+lenny1_i386.deb kfax_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kfax_3.5.7-4+lenny1_i386.deb kfaxview_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kfaxview_3.5.7-4+lenny1_i386.deb kgamma_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kgamma_3.5.7-4+lenny1_i386.deb kghostview_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kghostview_3.5.7-4+lenny1_i386.deb kiconedit_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kiconedit_3.5.7-4+lenny1_i386.deb kmrml_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kmrml_3.5.7-4+lenny1_i386.deb kolourpaint_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kolourpaint_3.5.7-4+lenny1_i386.deb kooka_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kooka_3.5.7-4+lenny1_i386.deb kpdf_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kpdf_3.5.7-4+lenny1_i386.deb kpovmodeler_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kpovmodeler_3.5.7-4+lenny1_i386.deb kruler_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kruler_3.5.7-4+lenny1_i386.deb ksnapshot_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/ksnapshot_3.5.7-4+lenny1_i386.deb ksvg_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/ksvg_3.5.7-4+lenny1_i386.deb kuickshow_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kuickshow_3.5.7-4+lenny1_i386.deb kview_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kview_3.5.7-4+lenny1_i386.deb kviewshell_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/kviewshell_3.5.7-4+lenny1_i386.deb libkscan-dev_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/libkscan-dev_3.5.7-4+lenny1_i386.deb libkscan1_3.5.7-4+lenny1_i386.deb to pool/main/k/kdegraphics/libkscan1_3.5.7-4+lenny1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 450630@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <nion@debian.org> (supplier of updated kdegraphics package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 16 Nov 2007 09:57:48 +0100 Source: kdegraphics Binary: kdegraphics-kfile-plugins ksnapshot kviewshell kghostview libkscan-dev kruler kcoloredit kamera kdegraphics-dev libkscan1 kdegraphics-dbg kview kdegraphics-doc-html kpdf ksvg kdvi kiconedit kfax kfaxview kuickshow kooka kdegraphics kolourpaint kmrml kgamma kpovmodeler Architecture: source i386 all Version: 4:3.5.7-4+lenny1 Distribution: testing-security Urgency: high Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Nico Golde <nion@debian.org> Description: kamera - digital camera io_slave for Konqueror kcoloredit - a color palette editor and color picker for KDE kdegraphics - graphics apps from the official KDE release kdegraphics-dbg - debugging symbols for kdegraphics kdegraphics-dev - development files for the KDE graphics module kdegraphics-doc-html - KDE graphics documentation in HTML format kdegraphics-kfile-plugins - KDE metainfo plugins for graphic files kdvi - dvi viewer for KDE kfax - G3/G4 fax viewer for KDE kfaxview - G3/G4 fax viewer for KDE using kviewshell kgamma - gamma correction module for the KDE Control Center kghostview - PostScript viewer for KDE kiconedit - an icon editor for KDE kmrml - a Konqueror plugin for searching pictures kolourpaint - a simple paint program for KDE kooka - scanner program for KDE kpdf - PDF viewer for KDE kpovmodeler - a graphical editor for povray scenes kruler - a screen ruler and color measurement tool for KDE ksnapshot - screenshot utility for KDE ksvg - SVG viewer for KDE kuickshow - KDE image/slideshow viewer kview - simple image viewer/converter for KDE kviewshell - generic framework for viewer applications in KDE libkscan-dev - development files for the KDE scanner library libkscan1 - scanner library for KDE Closes: 450630 Changes: kdegraphics (4:3.5.7-4+lenny1) testing-security; urgency=high . * Non-maintainer upload by testing security team. * Included post-3.5.8-kdegraphics-kpdf.diff to address the following security issues (Closes: #450630) - CVE-2007-5393 buffer overflow in the CCITTFaxStream::lookChar leading to arbitrary code execution via a crafted pdf file. - CVE-2007-5392 integer overflow in the DCTStream::reset resulting in a heap based buffer overflow allows code execution. - CVE-2007-4352 array index error in DCTStream::readProgressiveDataUnit leads to memory corruption and possibly arbitrary code execution. Files: e38ba3f815476ba7b2dfb49ba417dbcd 1420 kde optional kdegraphics_3.5.7-4+lenny1.dsc 460e518dd7e1d525dc97a1c60f015e72 345945 kde optional kdegraphics_3.5.7-4+lenny1.diff.gz 28584a5ab59479a214bf109245b75955 12306 kde optional kdegraphics_3.5.7-4+lenny1_all.deb 7a7932a4e55900b96ab0b92eb5fc7c32 150594 doc optional kdegraphics-doc-html_3.5.7-4+lenny1_all.deb 20665a60aff53f2d1fe9e4b5f4dcddca 82718 graphics optional kamera_3.5.7-4+lenny1_i386.deb 2bf61a756ee1c1d5c8aca79eed775dca 97188 graphics optional kcoloredit_3.5.7-4+lenny1_i386.deb 74aabd870b6491126d6363ffa722e0ed 97446 devel optional kdegraphics-dev_3.5.7-4+lenny1_i386.deb 15067249feb2b36d4fa3dcbf0a21d09e 259466 kde optional kdegraphics-kfile-plugins_3.5.7-4+lenny1_i386.deb 9ed6c71dc3f5199ebd7dd7c08d479c05 525672 graphics optional kdvi_3.5.7-4+lenny1_i386.deb 8ad490a149ae74d6b0aef352fdd53e91 139572 graphics optional kfax_3.5.7-4+lenny1_i386.deb 7281cadcb1c16d7a31800c4f9a6ecdeb 103278 graphics optional kfaxview_3.5.7-4+lenny1_i386.deb baab50c91cf4214287c4d1c044b43ffd 71096 graphics optional kgamma_3.5.7-4+lenny1_i386.deb 65b9f2495bd93a1d410fd71d27dec3ef 229910 graphics optional kghostview_3.5.7-4+lenny1_i386.deb c22ccc4c8695ca562d4ccd0b3a9a5549 168830 graphics optional kiconedit_3.5.7-4+lenny1_i386.deb a37bb145fc7fa919a2d552a04274982b 219918 kde optional kmrml_3.5.7-4+lenny1_i386.deb 094d202c92bae9b94548733a12d1cb3e 1062564 graphics optional kolourpaint_3.5.7-4+lenny1_i386.deb bb042aa8e484498bafa299765f8566ca 751586 graphics optional kooka_3.5.7-4+lenny1_i386.deb cf2bf0f847f71061501d268dcfc28309 813848 graphics optional kpdf_3.5.7-4+lenny1_i386.deb 3ab989338da0d1e9f15e1166585fa5ea 2232786 graphics optional kpovmodeler_3.5.7-4+lenny1_i386.deb 0eea36573cd1130f4c12393d6363906e 60944 graphics optional kruler_3.5.7-4+lenny1_i386.deb 6bc8c0f2652f7049bc4268a233c20a04 167058 graphics optional ksnapshot_3.5.7-4+lenny1_i386.deb 67e16ddbbcb90f4b66c2a05b7578d45d 1270236 graphics optional ksvg_3.5.7-4+lenny1_i386.deb 628687438c7e5b5c7a167db333824491 486766 graphics optional kuickshow_3.5.7-4+lenny1_i386.deb 404df14afd56e9648622249ce333b170 395960 graphics optional kview_3.5.7-4+lenny1_i386.deb 4c73c13105c200f079fc8a3f7dc20c18 787078 graphics optional kviewshell_3.5.7-4+lenny1_i386.deb 63f55be980425b3f425066a16903d2a6 12136 libdevel optional libkscan-dev_3.5.7-4+lenny1_i386.deb 49f4e105469dbc808eaa0ec8cdf11585 129796 libs optional libkscan1_3.5.7-4+lenny1_i386.deb b5dd2d50f3a041de14b1e9419f5a0b4f 25353270 libdevel extra kdegraphics-dbg_3.5.7-4+lenny1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHPX9nHYflSXNkfP8RAmzUAKCXoQM3A0G7BCYclRyE27StLzuyhgCgkiQM fGqYPCcWfj62Di5dg0fTlDQ= =Ii3H -----END PGP SIGNATURE-----
--- End Message ---