Lucene search

K
osvGoogleOSV:DSA-1793-1
HistoryMay 06, 2009 - 12:00 a.m.

kdegraphics - multiple vulnerabilities

2009-05-0600:00:00
Google
osv.dev
26

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.083 Low

EPSS

Percentile

93.4%

kpdf, a Portable Document Format (PDF) viewer for KDE, is based on the
xpdf program and thus suffers from similar flaws to those described in
DSA-1790.

The Common Vulnerabilities and Exposures project identifies the
following problems:

  • CVE-2009-0146
    Multiple buffer overflows in the JBIG2 decoder in kpdf allow
    remote attackers to cause a denial of service (crash) via a
    crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and
    (2) JBIG2Stream::readSymbolDictSeg.
  • CVE-2009-0147
    Multiple integer overflows in the JBIG2 decoder in kpdf allow
    remote attackers to cause a denial of service (crash) via a
    crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg,
    (2) JBIG2Stream::readSymbolDictSeg, and (3)
    JBIG2Stream::readGenericBitmap.
  • CVE-2009-0165
    Integer overflow in the JBIG2 decoder in kpdf has unspecified
    impact related to “g*allocn.”
  • CVE-2009-0166
    The JBIG2 decoder in kpdf allows remote attackers to cause a
    denial of service (crash) via a crafted PDF file that triggers a
    free of uninitialized memory.
  • CVE-2009-0799
    The JBIG2 decoder in kpdf allows remote attackers to cause a
    denial of service (crash) via a crafted PDF file that triggers an
    out-of-bounds read.
  • CVE-2009-0800
    Multiple “input validation flaws” in the JBIG2 decoder in kpdf
    allow remote attackers to execute arbitrary code via a crafted PDF
    file.
  • CVE-2009-1179
    Integer overflow in the JBIG2 decoder in kpdf allows remote
    attackers to execute arbitrary code via a crafted PDF file.
  • CVE-2009-1180
    The JBIG2 decoder in kpdf allows remote attackers to execute
    arbitrary code via a crafted PDF file that triggers a free of
    invalid data.
  • CVE-2009-1181
    The JBIG2 decoder in kpdf allows remote attackers to cause a
    denial of service (crash) via a crafted PDF file that triggers a
    NULL pointer dereference.
  • CVE-2009-1182
    Multiple buffer overflows in the JBIG2 MMR decoder in kpdf allow
    remote attackers to execute arbitrary code via a crafted PDF file.
  • CVE-2009-1183
    The JBIG2 MMR decoder in kpdf allows remote attackers to cause a
    denial of service (infinite loop and hang) via a crafted PDF file.

The old stable distribution (etch), these problems have been fixed in version
3.5.5-3etch3.

For the stable distribution (lenny), these problems have been fixed in version
3.5.9-3+lenny1.

For the unstable distribution (sid), these problems will be fixed
soon.

We recommend that you upgrade your kdegraphics packages.

CPENameOperatorVersion
kdegraphicseq4:3.5.9-3

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.083 Low

EPSS

Percentile

93.4%

Related for OSV:DSA-1793-1