KDE Security Advisory: kpdf/kword/xpdf denial of service vulnerability Original Release Date: 2007-01-15 URL: http://www.kde.org/info/security/advisory-20070115-1.txt 0. References CVE-2007-0104 1. Systems affected: KDE 3.2.0 up to including KDE 3.5.5. KDE 3.5.6 and newer is not affected. KOffice 1.2 and newer contain the same code. 2. Overview: kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a vulnerability that can cause denial of service (infinite loop) via a PDF file that contains a crafted catalog dictionary or a crafted Pages attribute that references an invalid page tree node. 3. Impact: Remotely supplied pdf files can be used to disrupt the kpdf viewer on the client machine. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patch for KOffice 1.2.1 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : dc28881c39f11c040f8c942e4af238d1 koffce-xpdf-CVE-2007-0104.diff Patch for KDE 3.3.2 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : a690ce46117257609c2b43485ea4d0d7 post-3.5.5-kdegraphics-CVE-2007-0104.diff Patch for KDE 3.2.3 and newer is available from ftp://ftp.kde.org/pub/kde/security_patches : c2d4c2aa3aa990e2dba00f782a140a1b post-3.2.3-kdegraphics-CVE-2007-0104.diff