=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2004/VULN462
_____________________________________________________________________

DATE                      : 28/10/2004

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running KDE 3.2.x releases, KDE 3.3.0,
                                   KDE 3.3.1.

======================================================================

KDE Security Advisory: kpdf integer overflows
Original Release Date: 2004-10-21
URL: http://www.kde.org/info/security/advisory-20041021-1.txt

0. References

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0889
         CESA-2004-002 - rev 1
         CESA-2004-007 - rev 1


1. Systems affected:

         All KDE 3.2.x releases, KDE 3.3.0 and KDE 3.3.1.


2. Overview:

         Chris Evans notified the KDE security team about multiple
         integer overflow and integer arithmetic flaws in xpdf 3.0.

         These flaws, if exploited, can cause xpdf (and therefore kpdf)
         to hang using 100% CPU, crash the viewer or corrupt the
         program heap. It might be possible to execute arbitrary code.
         The Common Vulnerabilities and Exposures project assigned
         CAN-2004-0889 to this issue.

         kpdf, the KDE pdf viewer, shares code with xpdf 2.02. This
         code is significantly different from the xpdf 3.0 codebase,
         but is also affected by similiar issues. Sebastian Krahmer
         from the SUSE security team developed a patch that corrects
         integer overflows in the XRef code. This patch is made
         available below for kpdf as shipped in the KDE 3.2.x
         releases. The Common Vulnerabilities and Exposures project
         assigned CAN-2004-0888 to this issue.

         KDE 3.3.1 contains a kpdf based on xpdf 3.0. We're providing
         a patch to fix the remaining integer overflows in this code
         base.


3. Impact:

         Remotely supplied pdf files can be used to execute arbitrary
         code on the client machine.


4. Solution:

         Source code patches have been made available which fix these
         vulnerabilities. Contact your OS vendor / binary package provider
         for information about how to obtain updated binary packages.


5. Patch:

         Patch for KDE 3.2.3 is available from
         ftp://ftp.kde.org/pub/kde/security_patches :

         4f854adb507f4d04e997702e44ffc2ea  post-3.2.3-kdegraphics.diff

         Patch for KDE 3.3.1 is available from
         ftp://ftp.kde.org/pub/kde/security_patches :

         651fba579516ea947fbefee373f40a6c  post-3.3.1-kdegraphics.diff


6. Time line and credits:

         01/09/2004 KDE Security Team alerted by Chris Evans
         08/09/2004 Chris Evans finds similiar issues in the xpdf 2.02
                    codebase which is used by all released kpdf versions.
         24/09/2004 Patch to fix the found issues in xpdf 2.02 developed
                    by Sebastian Krahmer of SUSE security.
         12/10/2004 KDE 3.3.1 release upgrading kpdf to xpdf 3.0 codebase
         21/10/2004 Public disclosure

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================