Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 386271

Summary: app-text/xpdf: Multiple vulnerabilities (CVE-2009-4035,CVE-2010-{3702,3704})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jrmalaq, stephan.litterst, walch.martin
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:57:09 UTC
CVE-2010-3704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3704):
  The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser in xpdf
  before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1,
  kdegraphics, and possibly other products allows context-dependent attackers
  to cause a denial of service (crash) and possibly execute arbitrary code via
  a PDF file with a crafted Type1 font that contains a negative array index,
  which bypasses input validation and which triggers memory corruption.

CVE-2010-3702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3702):
  The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler
  0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and
  possibly other products allows context-dependent attackers to cause a denial
  of service (crash) via unknown vectors that trigger an uninitialized pointer
  dereference.

CVE-2009-4035 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4035):
  The FoFiType1::parse function in fofi/FoFiType1.cc in Xpdf 3.0.0, gpdf
  2.8.2, kpdf in kdegraphics 3.3.1, and possibly other libraries and versions,
  does not check the return value of the getNextLine function, which allows
  context-dependent attackers to execute arbitrary code via a PDF file with a
  crafted Type 1 font that can produce a negative value, leading to a
  signed-to-unsigned integer conversion error and a buffer overflow.


Looking at the xpdf-3.02-r4 ebuild, it seems it uses pl3. Please bump to using pl5.
Comment 1 Agostino Sarubbo gentoo-dev 2011-10-22 09:31:46 UTC
*** Bug 388089 has been marked as a duplicate of this bug. ***
Comment 2 Agostino Sarubbo gentoo-dev 2011-10-22 09:36:56 UTC
@printing:

3.03 is out, with the following security update (from changelog):

-Fixed a buffer overflow security hole in StreamPredictor.

-Rewrote the CCITTFax decoder inner loop - this fixes a security hole.

-Fixed two security holes (missing bounds checks) in the DCT decoder.

-Fixed a security hole: integer bounds check in the Type 1 encoding parser in FoFiType1.cc

-Commented out the t1lib section in the configure script -- t1lib has some potential security holes, and hasn't been updated in years.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2012-02-28 20:43:27 UTC
Removed from the portage tree.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-02-29 22:01:58 UTC
(In reply to comment #3)
> Removed from the portage tree.

Thank you. GLSA request filed.
Comment 5 Martin Bays 2013-11-23 23:06:07 UTC
I've just come across this on noting that xpdf is no longer in the portage
tree. Am I reading right that it was temporarily removed due to this bug? Is
it coming back? Can I help with getting it back?
Comment 6 Sergey Popov gentoo-dev 2013-11-24 14:25:35 UTC
(In reply to Martin Bays from comment #5)
> I've just come across this on noting that xpdf is no longer in the portage
> tree. Am I reading right that it was temporarily removed due to this bug? Is
> it coming back? Can I help with getting it back?

Open another bugreport for this, this one is for tracking security vulnerabilities and GLSA release process(that continues even if package was removed from tree).
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-02-17 20:21:31 UTC
This issue was resolved and addressed in
 GLSA 201402-17 at http://security.gentoo.org/glsa/glsa-201402-17.xml
by GLSA coordinator Mikle Kolyada (Zlogene).