Debians sikkerhedsbulletin

DSA-1509-1 koffice -- flere sårbarheder

Rapporteret den:

25. feb 2008

Berørte pakker:

koffice

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2007-4352, CVE-2007-5392, CVE-2007-5393.

Yderligere oplysninger:

Flere sårbarheder er opdaget i xpdf-koden, der er indeholdt i koffice, en integreret kontorpakke til KDE. Disse fejl kunne gøre det muligt for en fjernangriber at udføre vilkårlig kode ved at få brugeren til at importere et særligt fremstillet PDF-dokment. Projektet Common Vulnerabilities and Exposures har fundet frem til følgende problemer:

CVE-2007-4352
Arrayindeksfejl i metoden DCTStream::readProgressiveDataUnit i xpdf/Stream.cc i Xpdf 3.02pl1, som anvendes i poppler, teTeX, KDE, KOffice, CUPS og andre produkter, gjorde det muligt for fjernangribere at ødeløse hukommelseskorruption og udføre vilkårlig kode gennem en særligt fremstillet PDF-fil.
CVE-2007-5392
Heltalsoverløb i metoden DCTStream::reset i xpdf/Stream.cc i Xpdf 3.02p11 gjorde det muligt for fjernangribere at udføre vilkårlig kode gennem en fabrikeret PDF-fil, medførende et heap-baseret bufferoverløb.
CVE-2007-5393
Et heap-baseret bufferoverløb i metoden CCITTFaxStream::lookChar i xpdf/Stream.cc i Xpdf 3.02p11 gjorde det muligt for fjernangribere at udføre vilkårlig kode gennem en PDF-fil, der indeholder et fabrikeret CCITTFaxDecode-filter.

Opdateringer til den gamle stabile distribution (sarge), vil hurtigst muligt blive gjort tilgængelige.

I den stabile distribution (etch), er disse problemer rettet i version 1:1.6.1-2etch2.

Vi anbefaler at du opgraderer din koffice-pakke.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:: http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1.orig.tar.gz; http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1-2etch2.diff.gz; http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1-2etch2.dsc
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/k/koffice/koffice-data_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/kword-data_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio-data_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-doc_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-doc-html_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter-data_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/krita-data_1.6.1-2etch2_all.deb
Alpha:: http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_amd64.deb
HP Precision:: http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_i386.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_mips.deb
PowerPC:: http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.