Debian-Sicherheitsankündigung

DSA-1509-1 koffice -- Mehrere Verwundbarkeiten

Datum des Berichts:

25. Feb 2008

Betroffene Pakete:

koffice

Verwundbar:

Sicherheitsdatenbanken-Referenzen:

In Mitres CVE-Verzeichnis: CVE-2007-4352, CVE-2007-5392, CVE-2007-5393.

Weitere Informationen:

Mehrere Verwundbarkeiten wurden im xpdf-Code entdeckt, der in koffice, einer integrierten Office-Suite für KDE, eingebettet ist. Diese Probleme könnten einem Angreifer ermöglichen, beliebigen Code auszuführen, indem der Benutzer dazu gebracht wird, ein speziell erzeugtes PDF-Dokument zu importieren. Das Common Vulnerabilities and Exposures-Projekt identifiziert die folgenden Probleme:

CVE-2007-4352
Ein Feldzugriff-Fehler in der Methode DCTStream::readProgressiveDataUnit in xpdf/Stream.cc in Xpdf 3.02pl1, wie sie in poppler, teTeX, KDE, KOffice, CUPS und anderen Produkten verwendet wird, ermöglicht entfernten Angreifern die Auslösung einer Speicherkorruption und die Ausführung beliebigen Codes mittels einer speziell erzeugten PDF-Datei.
CVE-2007-5392
Ein Integer-Überlauf in der Methode DCTStream::reset in xpdf/Stream.cc in Xpdf 3.02p11 ermöglicht entfernten Angreifern die Ausführung beliebigen Codes mittels einer speziell erzeugten PDF-Datei, was zu einem Heap-basierten Pufferüberlauf führt.
CVE-2007-5393
Ein Heap-basierter Pufferüberlauf in der Methode CCITTFaxStream::lookChar in xpdf/Stream.cc in Xpdf 3.02p11 ermöglicht entfernten Angreifern die Ausführung beliebigen Codes mittels einer PDF-Datei, die einen speziell erzeugten CCITTFaxDecode-Filter enthält.

Aktualisierungen für die alte Stable-Distribution (Sarge) werden so bald wie möglich zur Verfügung gestellt.

Für die Stable-Distribution (Etch) wurden diese Probleme in Version 1:1.6.1-2etch2 behoben.

Wir empfehlen Ihnen, Ihr koffice-Paket zu aktualisieren.

Behoben in:

Debian GNU/Linux 4.0 (etch)

Quellcode:: http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1.orig.tar.gz; http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1-2etch2.diff.gz; http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1-2etch2.dsc
Architektur-unabhängige Dateien:: http://security.debian.org/pool/updates/main/k/koffice/koffice-data_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/kword-data_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio-data_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-doc_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-doc-html_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter-data_1.6.1-2etch2_all.deb; http://security.debian.org/pool/updates/main/k/koffice/krita-data_1.6.1-2etch2_all.deb
Alpha:: http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_alpha.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_amd64.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_amd64.deb
HP Precision:: http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_hppa.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_i386.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_i386.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_mips.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_mips.deb
PowerPC:: http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_powerpc.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_s390.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/k/koffice/kpresenter_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kexi_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/krita_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kchart_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kugar_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kspread_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kword_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kformula_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-libs_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kivio_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/karbon_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/koshell_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dev_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/koffice-dbg_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kplato_1.6.1-2etch2_sparc.deb; http://security.debian.org/pool/updates/main/k/koffice/kthesaurus_1.6.1-2etch2_sparc.deb

MD5-Prüfsummen der aufgeführten Dateien stehen in der ursprünglichen Sicherheitsankündigung zur Verfügung.