KDE Security Advisory: kimgio input validation errors
Original Release Date: 2005-04-21
URL: http://www.kde.org/info/security/advisory-20050421-1.txt
References
http://bugs.kde.org/102328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1046
Systems affected:
kdelibs as shipped with KDE 3.2 up to including KDE 3.4.
Overview:
kimgio contains a PCX image file format reader that does
not properly perform input validation. A source code audit
performed by the KDE security team discovered several
vulnerabilities in the PCX and other image file format
readers, some of them exploitable to execute arbitrary
code.
Impact:
Remotly supplied, specially crafted image files can be used
to execute arbitrary code.
Solution:
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
Patch:
A patch for KDE 3.4.0 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
78473d4dad612e6617eb6652eec2ab80 post-3.4.0-kdelibs-kimgio.diff
A patch for KDE 3.3.2 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
8366d0e5c8101c315a0bdafac54536d6 post-3.3.2-kdelibs-kimgio.diff
Time line and credits:
24/03/2005 Notification of KDE by Bruno Rohee
21/04/2005 Coordinated Public Disclosure