RealNetworks Inc. and KDE eV on Tuesday both released patches for their desktop software, fixing serious security holes that could allow an attacker to take over a users system.
The update to KOffice, the productivity suite that is part of the K Desktop Environment, patched flaws in a library called xpdf, which handles PDF files. The integer overflow bugs allow an attacker to craft a document using Adobes PDF that executes malicious code when viewed by an application relying on xpdf.
In the case of KOffice, users could have been attacked via KWords PDF import filter. Version 1.3.4, available from KDE, fixes the bug, project maintainers said.
Because the bugs also affect applications that use xpdf, such as the CUPS printing system, they have prompted a flood of updates from major Linux vendors since Friday. Red Hat Inc., Novell Inc.s SuSE Linux division, MandrakeSoft SA, the KDE project, Debian, Gentoo Technologies Inc. and others have issued updates for CUPS, xpdf, kdegraphics and related components.
The xpdf flaw is just one of the serious security flaws Linux vendors have patched in the past few days. The libtiff and libpng graphics libraries, used by many graphics applications, and the Gaim instant-messaging client were all found to contain bugs that could allow remote system compromise. Patches are available from Linux vendors and from the Gaim project..
Meanwhile, RealNetworks said several versions of its RealPlayer and RealOne Player for Windows—some of the most widely used desktop applications—contain a flaw that could attack users via a specially-crafted "skin" file.
Skins are used to customize the appearance of a player, and have become a well-known vector for launching attacks. In this case, a third-party compression library, DUNZIP32.dll, contains a boundary error that can be triggered during the processing of skin files, according to RealNetworks. An attacker could cause a buffer overflow, allowing the execution of malicious code, the company said in an advisory.
RealOne Player versions 1 and 2 are affected, as are versions 10 to 10.5 (22.214.171.1243) of RealPlayer; a more recent version of RealPlayer, 10.5 (126.96.36.1996), is not affected. Linux and Mac OS X versions arent affected. Patches are available for the more recent affected applications, but users of older products must download a full upgrade to fix the bug.
Earlier this month RealNetworks patched a bug in its Windows players that could have allowed a Web site to execute code on a users PC. That vulnerability, like the latest skin file flaw, was reported to RealNetworks by eEye Digital Security Inc.