Description: | Summary: The remote host is missing an update for the Debian 'kdegraphics' package(s) announced via the DSA-1793-1 advisory.
Vulnerability Insight: kpdf, a Portable Document Format (PDF) viewer for KDE, is based on the xpdf program and thus suffers from similar flaws to those described in DSA-1790.
The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2009-0146
Multiple buffer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg.
CVE-2009-0147
Multiple integer overflows in the JBIG2 decoder in kpdf allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.
CVE-2009-0165
Integer overflow in the JBIG2 decoder in kpdf has unspecified impact related to 'g*allocn.'
CVE-2009-0166
The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory.
CVE-2009-0799
The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read.
CVE-2009-0800
Multiple 'input validation flaws' in the JBIG2 decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file.
CVE-2009-1179
Integer overflow in the JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file.
CVE-2009-1180
The JBIG2 decoder in kpdf allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data.
CVE-2009-1181
The JBIG2 decoder in kpdf allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference.
CVE-2009-1182
Multiple buffer overflows in the JBIG2 MMR decoder in kpdf allow remote attackers to execute arbitrary code via a crafted PDF file.
CVE-2009-1183
The JBIG2 MMR decoder in kpdf allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file.
The old stable distribution (etch), these problems have been fixed in version 3.5.5-3etch3.
For the stable distribution (lenny), these problems have been fixed in version 3.5.9-3+lenny1.
For the unstable distribution (sid), these problems will be fixed soon.
We recommend that you upgrade your kdegraphics packages.
Affected Software/OS: 'kdegraphics' package(s) on Debian 4, Debian 5.
Solution: Please install the updated package(s).
CVSS Score: 10.0
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
|