681140 – (CVE-2019-9587) <app-text/xpdf-4.01.01: stack consumption issue in md5Round1() located in Decrypt.cc

Bug 681140 (CVE-2019-9587) - <app-text/xpdf-4.01.01: stack consumption issue in md5Round1() located in Decrypt.cc

Summary: <app-text/xpdf-4.01.01: stack consumption issue in md5Round1() located in Dec...

Status:	RESOLVED FIXED

Alias:	CVE-2019-9587

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Low trivial
Assignee:	Gentoo Security

URL:	https://forum.xpdfreader.com/viewtopi...
Whiteboard:	~3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-03-21 09:30 UTC by D'juan McDonald (domhnall)
Modified:	2019-03-21 22:41 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2019-9588, CVE-2019-9589
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2019-03-21 09:30:17 UTC

(https://nvd.nist.gov/vuln/detail/CVE-2019-9587):

There is a stack consumption issue in md5Round1() located in Decrypt.cc in Xpdf 4.01. It can be triggered by sending a crafted pdf file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. This is related to Catalog::countPageTree

@maintainer(s): this issue will be addressed in Xpdf 5.


Gentoo Security Padawan
(domhnall)

Comment 1 Larry the Git Cow gentoo-dev

2019-03-21 11:00:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a41a80fe3a6ef79385c29bb540684f9aa00d42f

commit 0a41a80fe3a6ef79385c29bb540684f9aa00d42f
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2019-03-21 10:59:47 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2019-03-21 11:00:32 +0000

    app-text/xpdf: remove old and vulnerable version
    
    Bug: https://bugs.gentoo.org/681112
    Bug: https://bugs.gentoo.org/681140
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest          |   1 -
 app-text/xpdf/xpdf-4.0.1.ebuild | 116 ----------------------------------------
 2 files changed, 117 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b695c59184713a18e2a7809f40088eff130afb6

commit 6b695c59184713a18e2a7809f40088eff130afb6
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2019-03-21 10:55:44 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2019-03-21 11:00:31 +0000

    app-text/xpdf: security version bump
    
    xpdf-4.01.01 fixes several vulnerabilities and problems reported by
    Loginsoft, including CVE-2019-9589.
    
    CVE-2019-9588 and CVE-2019-9587 are probably fixed as well, but it
    is not clear from ChangeLog:
    
    The PDFDoc(BaseStream) initializer wasn't working correctly.
    Fixed a missing array bounds check in PSOutputDev.  [Thanks to
      Loginsoft for the bug report.]
        ^-- CVE-2019-9589
    If the "U" string used for RC4 decryption is short, Adobe apparently
      zero-pads it, so Xpdf now does the same.
        ^-- Maybe CVE-2019-9588
    Pdffonts now checks more carefully for loops between objects.
        ^-- Looks like CVE-2019-9587
    Fixed a problem parsing large real numbers.  [Thanks to Loginsoft for
      the bug report.]
    
    Bug: https://bugs.gentoo.org/681112
    Bug: https://bugs.gentoo.org/681140
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest            |   1 +
 app-text/xpdf/xpdf-4.01.01.ebuild | 113 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 114 insertions(+)

Comment 2 D'juan McDonald (domhnall) 2019-03-21 18:43:42 UTC

Andrew Savchenko - Thank you for the quick response. 

ping @security, please add to CVETool.