Comment 1 John Helmert III 2023-06-08 04:30:13 UTC

CVE-2023-2662 (https://forum.xpdfreader.com/viewtopic.php?t=42505):

In Xpdf 4.04 (and earlier), a bad color space object in the input PDF file can cause a divide-by-zero.

Comment 2 Hans de Graaff 2023-10-23 12:39:16 UTC

(In reply to John Helmert III from comment #0)
> CVE-2021-40226:
> 
> xpdfreader 4.03 is vulnerable to Buffer Overflow.
> 
> Another famous "fixed in next release", but from over a year ago. Did
> this get a fix?

Looks like it from the 4.04 changes list:

"Added a missing bounds check on stream DecodeParms arrays."

Comment 3 Larry the Git Cow 2024-07-20 21:12:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47a254308b64f4462a3cdcc7ce49655b41b7bdb5

commit 47a254308b64f4462a3cdcc7ce49655b41b7bdb5
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2024-07-20 21:04:06 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2024-07-20 21:12:13 +0000

    app-text/xpdf: add 4.05
    
    * Add qt6 support per bug 925519, use updated font-paths patch from
    Andrii Batyiev.
    
    * Update simplified Chinese and Korean language support packages.
    
    * Fix the following CVEs:
      - CVE-2018-7453 PDF object loop in AcroForm::scanField
      - CVE-2018-16369 PDF object loop in AcroForm::scanField
      - CVE-2019-9587 PDF object loop in Catalog::countPageTree
      - CVE-2019-9588 PDF object loop in Catalog::countPageTree
      - CVE-2019-16088 PDF object loop in Catalog::countPageTree
      - CVE-2022-30524 logic bug in text extractor led to invalid memory access
      - CVE-2022-30775 integer overflow in rasterizer
      - CVE-2022-33108 PDF object loop in Catalog::countPageTree
      - CVE-2022-36561 PDF object loop in AcroForm::scanField
      - CVE-2022-38222 logic bug in JBIG2 decoder
      - CVE-2022-38334 PDF object loop in Catalog::countPageTree
      - CVE-2022-38928 missing bounds check in CFF font converter caused null
                       pointer dereference
      - CVE-2022-41842 PDF object loop in Catalog::countPageTree
      - CVE-2022-41843 missing bounds check in CFF font parser caused invalid
                       memory access
      - CVE-2022-41844 PDF object loop in AcroForm::scanField
      - CVE-2022-43071 PDF object loop in Catalog::readPageLabelTree2
      - CVE-2022-43295 PDF object loop in Catalog::countPageTree
      - CVE-2022-45586 PDF object loop in Catalog::countPageTree
      - CVE-2022-45587 PDF object loop in Catalog::countPageTree
      - CVE-2023-2662 Divide-by-zero in Xpdf 4.04 due to bad color space object
      - CVE-2023-2663 PDF object loop in Catalog::readPageLabelTree2
      - CVE-2023-2664 PDF object loop in Catalog::readEmbeddedFileTree
      - CVE-2023-3044 Divide-by-zero in Xpdf 4.04 due to very large page size
      - CVE-2023-3436 Deadlock in Xpdf 4.04 due to PDF object stream references
    
    Closes: https://bugs.gentoo.org/925519
    Bug: https://bugs.gentoo.org/845027
    Bug: https://bugs.gentoo.org/856475
    Bug: https://bugs.gentoo.org/881351
    Bug: https://bugs.gentoo.org/908037
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest                         |   4 +
 app-text/xpdf/files/xpdf-4.05-font-paths.patch |  46 +++++++
 app-text/xpdf/xpdf-4.05.ebuild                 | 161 +++++++++++++++++++++++++
 3 files changed, 211 insertions(+)

Comment 4 Hans de Graaff 2024-07-21 06:09:58 UTC

I have moved the CVE fixed in 4.05 over to bug 936407 so we can keep tracking the unfixed issue here.