--===============1430856649== Content-Type: multipart/signed; boundary="nextPart1645567.TveDAQqMzu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart1645567.TveDAQqMzu Content-Type: multipart/mixed; boundary="Boundary-01=_M4+7BJwrLHWsD7W" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_M4+7BJwrLHWsD7W Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 20 January 2005 16:33, you wrote: > Hi, > > A member of the debian security team has posted a bug against koffice, > also for CAN-2005-0064. The patch however is quite different. > > http://bugs.debian.org/291245 > > Are these the same issue? In particular, do I need to apply both > patches, or just one of the patches? If just one, would you recommend > the debian patch (included below) or the KDE patch (from your previous > post)? Both patches fix the same issue. The koffice patch doesn't seem to handle t= he=20 keyLength =3D=3D 0 case though. The koffice patch is the patch that went in= to=20 xpdf upstream. I think keyLength =3D=3D 0 can cause a crash in rc4InitKey due to index1 =3D (index1 + 1) % keyLen; although it doesn't seem to be exploitable. I will revise the koffice patch= ,=20 see attachment. Cheers, Waldo =2D-=20 bastian@kde.org | Free Novell Linux Desktop 9 Evaluation Download bastian@suse.com | http://www.novell.com/products/desktop/eval.html --Boundary-01=_M4+7BJwrLHWsD7W Content-Type: text/x-diff; charset="iso-8859-1"; name="post-1.3.5-koffice.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="post-1.3.5-koffice.diff" Index: koffice/filters/kword/pdf/xpdf/xpdf/XRef.cc =================================================================== RCS file: /home/kde/koffice/filters/kword/pdf/xpdf/xpdf/XRef.cc,v retrieving revision 1.6 retrieving revision 1.8 diff -u -p -r1.6 -r1.8 --- koffice/filters/kword/pdf/xpdf/xpdf/XRef.cc 30 Oct 2004 16:35:33 -0000 1.6 +++ koffice/filters/kword/pdf/xpdf/xpdf/XRef.cc 20 Jan 2005 17:36:38 -0000 1.8 @@ -501,6 +501,12 @@ GBool XRef::checkEncrypted(GString *owne } else { keyLength = 5; } + if (keyLength < 1) { + keyLength = 1; + } + if (keyLength > 16) { + keyLength = 16; + } permFlags = permissions.getInt(); if (encVersion >= 1 && encVersion <= 2 && encRevision >= 2 && encRevision <= 3) { --Boundary-01=_M4+7BJwrLHWsD7W-- --nextPart1645567.TveDAQqMzu Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQBB7+4PN4pvrENfboIRAiLkAJ9o751pVpLVGf8cqrCu9MhvyHAV9QCbBGk2 v2kQN2ZI0pfZv/irqV5Nrv4= =zOSR -----END PGP SIGNATURE----- --nextPart1645567.TveDAQqMzu-- --===============1430856649== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ koffice-devel mailing list koffice-devel@kde.org https://mail.kde.org/mailman/listinfo/koffice-devel --===============1430856649==--