In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font. Links: https://nvd.nist.gov/vuln/detail/CVE-2020-25725 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25725 Reproducible: Always
CVE-2020-35376 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42066): Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function. Can't find a vcs repository for xpdf so I can't tell if there's a patch we can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we have, in fact)
(In reply to John Helmert III (ajak) from comment #1) > Can't find a vcs repository for xpdf so I can't tell if there's a patch we > can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we > have, in fact) xpdf releases the source code only in tarballs, we'll have to wait until a new version will be published.
(In reply to Andrew Savchenko from comment #2) > (In reply to John Helmert III (ajak) from comment #1) > > Can't find a vcs repository for xpdf so I can't tell if there's a patch we > > can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we > > have, in fact) > > xpdf releases the source code only in tarballs, we'll have to wait until a > new version will be published. 4.03 is out now.
Both CVEs are fixed in the 4.03: Check for infinite loops in Type 1C charstring subroutines. [Thanks to blbi for the bug report.] The Type 3 font cache code wasn't correctly handling the case where a Type 3 char refers to another char in the same T3 font. [Thanks to Pangu Lab for the bug report.] Will update in a while.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee2f467df6f1d70f5d7e7741ac264c6d2893d323 commit ee2f467df6f1d70f5d7e7741ac264c6d2893d323 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2021-01-30 09:47:21 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2021-01-30 09:51:59 +0000 app-text/xpdf: version bump This is mostly a bugfix release, it fixes plentiful of bugs (see CHANGES) including many security issues, including but not limited to CVE-2020-{25725,35376}. Bug: https://bugs.gentoo.org/755938 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 + app-text/xpdf/xpdf-4.03.ebuild | 146 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+)
Thanks, tell us when ready to stable.
Arch teams, please stabilize app-text/xpdf-4.03.
x86 done
amd64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8db9d6432f54c3bea1b4d30e9cecd5eea18d1aed commit 8db9d6432f54c3bea1b4d30e9cecd5eea18d1aed Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2021-02-14 13:27:36 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2021-02-14 14:45:17 +0000 app-text/xpdf: remove old Bug: https://bugs.gentoo.org/755938 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 - app-text/xpdf/files/xpdf-CVE-2019-17064.patch | 24 ----- app-text/xpdf/xpdf-4.02-r4.ebuild | 145 -------------------------- 3 files changed, 170 deletions(-)
Package list is empty or all packages have requested keywords.
Dear security team, it looks like this bug needs to be closed as fixed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3d1d6faaf9bb5e88750cd68aae6ddfdecdcb2454 commit 3d1d6faaf9bb5e88750cd68aae6ddfdecdcb2454 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-07 04:34:27 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-07 04:35:42 +0000 [ GLSA 202405-18 ] Xpdf: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/755938 Bug: https://bugs.gentoo.org/840873 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-18.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)
