(https://nvd.nist.gov/vuln/detail/CVE-2019-9589): There is a NULL pointer dereference vulnerability in PSOutputDev::setupResources() located in PSOutputDev.cc in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. Reference: https://research.loginsoft.com/vulnerability/null-pointer-dereference-vulnerability-in-function-psoutputdevsetupresources-xpdf-4-01/ Vulnerable code: if ((gsDict.dictGetValNF(i, &gsRef)->isRef())) { ref0 = gsRef.getRef(); → skip = (GBool)visitedResources[ref0.num]; visitedResources[ref0.num] = 1; } Gentoo Security Padawan (domhnall)
Reference [2] suggests CVE-2019-9877, research does not return any such CVE [2] Reference: https://research.loginsoft.com/vulnerability/invalid-memory-access-in-textpagefindgaps-xpdf-4-01/ (https://nvd.nist.gov/vuln/detail/CVE-2019-9588): There is an Invalid memory access in gAtomicIncrement() located at GMutex.h in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. [3]Reference: https://research.loginsoft.com/vulnerability/invalid-memory-access-in-gatomiccounter-gatomicincrement-xpdf-4-01/
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a41a80fe3a6ef79385c29bb540684f9aa00d42f commit 0a41a80fe3a6ef79385c29bb540684f9aa00d42f Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2019-03-21 10:59:47 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2019-03-21 11:00:32 +0000 app-text/xpdf: remove old and vulnerable version Bug: https://bugs.gentoo.org/681112 Bug: https://bugs.gentoo.org/681140 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 - app-text/xpdf/xpdf-4.0.1.ebuild | 116 ---------------------------------------- 2 files changed, 117 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b695c59184713a18e2a7809f40088eff130afb6 commit 6b695c59184713a18e2a7809f40088eff130afb6 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2019-03-21 10:55:44 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2019-03-21 11:00:31 +0000 app-text/xpdf: security version bump xpdf-4.01.01 fixes several vulnerabilities and problems reported by Loginsoft, including CVE-2019-9589. CVE-2019-9588 and CVE-2019-9587 are probably fixed as well, but it is not clear from ChangeLog: The PDFDoc(BaseStream) initializer wasn't working correctly. Fixed a missing array bounds check in PSOutputDev. [Thanks to Loginsoft for the bug report.] ^-- CVE-2019-9589 If the "U" string used for RC4 decryption is short, Adobe apparently zero-pads it, so Xpdf now does the same. ^-- Maybe CVE-2019-9588 Pdffonts now checks more carefully for loops between objects. ^-- Looks like CVE-2019-9587 Fixed a problem parsing large real numbers. [Thanks to Loginsoft for the bug report.] Bug: https://bugs.gentoo.org/681112 Bug: https://bugs.gentoo.org/681140 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 + app-text/xpdf/xpdf-4.01.01.ebuild | 113 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+)
Andrew Savchenko - Thank you for the timely response. ping @security, please add to CVETool.
