CVS commit by benb: Use the koffice patch, not the debian patch.
M +6 -5 changelog 1.149.2.20 M +15 -44 patches/xpdf3.diff 1.1.2.2 --- koffice/debian/changelog #1.149.2.19:1.149.2.20 @@ -1,13 +1,14 @@ koffice (1:1.3.5-2) unstable; urgency=high - * Yet another xpdf security fix. This time a buffer overflow in the - Decrypt::makeFileKey2 function from the xpdf sources has been fixed - (closes: #291245). See the following URL for further information: - - http://www.kde.org/info/security/advisory-20050119-1.txt + * Yet another xpdf security fix. This time a buffer overflow has been + fixed relating to an invalid key length (closes: #291245). See the + following URLs for further information: + - http://www.koffice.org/security/advisory-20050120-1.txt + - http://www.kde.org/info/security/advisory-20050120-1.txt References: CAN-2005-0064, DSA-648 * Added CAN and DSA reference numbers to the previous changelog entry for easier tracking. - -- Ben Burton <[EMAIL PROTECTED]> Fri, 21 Jan 2005 02:02:46 +1100 + -- Ben Burton <[EMAIL PROTECTED]> Sat, 22 Jan 2005 01:48:18 +1100 koffice (1:1.3.5-1) unstable; urgency=high --- koffice/debian/patches/xpdf3.diff #1.1.2.1:1.1.2.2 @@ -1,44 +1,15 @@ ---- koffice/filters/kword/pdf/xpdf/xpdf/Decrypt.cc -+++ koffice/filters/kword/pdf/xpdf/xpdf/Decrypt.cc -@@ -73,6 +73,11 @@ - Guchar fx, fy; - int len, i, j; - -+ // check whether we have non-zero keyLength -+ if ( !keyLength ) { -+ return gFalse; -+ } -+ - // try using the supplied owner password to generate the user password - if (ownerPassword) { - len = ownerPassword->getLength(); -@@ -100,7 +105,7 @@ - } else { - memcpy(test2, ownerKey->getCString(), 32); - for (i = 19; i >= 0; --i) { -- for (j = 0; j < keyLength; ++j) { -+ for (j = 0; j < keyLength && j < 16; ++j) { - tmpKey[j] = test[j] ^ i; - } - rc4InitKey(tmpKey, keyLength, fState); -@@ -137,6 +142,11 @@ - int len, i, j; - GBool ok; - -+ // check whether we have non-zero keyLength -+ if ( !keyLength ) { -+ return gFalse; -+ } -+ - // generate file key - buf = (Guchar *)gmalloc(68 + fileID->getLength()); - if (userPassword) { -@@ -174,7 +184,7 @@ - } else if (encRevision == 3) { - memcpy(test, userKey->getCString(), 32); - for (i = 19; i >= 0; --i) { -- for (j = 0; j < keyLength; ++j) { -+ for (j = 0; j < keyLength && j < 16; ++j) { - tmpKey[j] = fileKey[j] ^ i; - } - rc4InitKey(tmpKey, keyLength, fState); +--- koffice/filters/kword/pdf/xpdf/xpdf/XRef.cc 30 Oct 2004 16:35:33 -0000 1.6 ++++ koffice/filters/kword/pdf/xpdf/xpdf/XRef.cc 20 Jan 2005 17:36:38 -0000 1.8 +@@ -501,6 +501,12 @@ GBool XRef::checkEncrypted(GString *owne + } else { + keyLength = 5; + } ++ if (keyLength < 1) { ++ keyLength = 1; ++ } ++ if (keyLength > 16) { ++ keyLength = 16; ++ } + permFlags = permissions.getInt(); + if (encVersion >= 1 && encVersion <= 2 && + encRevision >= 2 && encRevision <= 3) { -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
