Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 684846 (CVE-2019-14288, CVE-2019-14289, CVE-2019-14290, CVE-2019-14291, CVE-2019-14292, CVE-2019-14293, CVE-2019-14294, CVE-2019-15860, CVE-2019-16088, CVE-2019-16115, CVE-2019-9877, CVE-2019-9878)

Summary: <app-text/xpdf-4.0.2: Multiple vulnerabilities (CVE-2019-{14288,14289,14290,14291,14292,14293,14294,15860,16088,16115,9877,9878})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: bircoph
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-01 00:35:10 UTC
CVE-2019-9878 (https://nvd.nist.gov/vuln/detail/CVE-2019-9878):
  There is an invalid memory access in the function
  GfxIndexedColorSpace::mapColorToBase() located in GfxState.cc in Xpdf 4.0.0,
  as used in pdfalto 0.2. It can be triggered by (for example) sending a
  crafted pdf file to the pdftops binary. It allows an attacker to cause
  Denial of Service (Segmentation fault) or possibly have unspecified other
  impact.

CVE-2019-9877 (https://nvd.nist.gov/vuln/detail/CVE-2019-9877):
  There is an invalid memory access vulnerability in the function
  TextPage::findGaps() located at TextOutputDev.c in Xpdf 4.01, which can (for
  example) be triggered by sending a crafted pdf file to the pdftops binary.
  It allows an attacker to cause Denial of Service (Segmentation fault) or
  possibly have unspecified other impact.
Comment 1 Andrew Savchenko gentoo-dev 2019-10-23 14:42:00 UTC
Hi,

judging from the changelog and thesource diff these bugs are fixed in xpdf-4.02 which is now in the tree.
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-03-02 16:17:28 UTC
Can't find any source stating that CVE-2019-9878 was fixed. Only CVE-2019-9877 is listed on https://www.xpdfreader.com/security-fixes.html.
Comment 3 Andrew Savchenko gentoo-dev 2020-03-02 16:54:36 UTC
(In reply to Thomas Deutschmann from comment #2)
> Can't find any source stating that CVE-2019-9878 was fixed. Only
> CVE-2019-9877 is listed on https://www.xpdfreader.com/security-fixes.html.

There was a significant GfxState.cc rewrite between 4.00 and 4.02. It is unclear whether it fixes bug or not since this bug manifests itself only in third-party project based on xpdf.
Comment 4 Andrew Savchenko gentoo-dev 2020-03-03 21:58:45 UTC
(In reply to Andrew Savchenko from comment #3)
> (In reply to Thomas Deutschmann from comment #2)
> > Can't find any source stating that CVE-2019-9878 was fixed. Only
> > CVE-2019-9877 is listed on https://www.xpdfreader.com/security-fixes.html.
> 
> There was a significant GfxState.cc rewrite between 4.00 and 4.02. It is
> unclear whether it fixes bug or not since this bug manifests itself only in
> third-party project based on xpdf.

I tested xpdf-4.02 and all its utils with provided proof-of-concept file:
https://github.com/SegfaultMasters/covering360/blob/master/pdfalto/NP_01_POC?raw=true

All of them complain a lot about broken file, but work fine otherwise without crashes.

I'm not sure this CVE was originally correct since bug occurs in third party project using xpdf code in unsupported way (xpdf is not a library).
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2020-03-16 06:05:01 UTC
> I'm not sure this CVE was originally correct since bug occurs in third party
> project using xpdf code in unsupported way (xpdf is not a library).

So are you saying it is fixed in 4.02-r2?
Comment 6 Andrew Savchenko gentoo-dev 2020-04-05 08:28:46 UTC
I'm saying that:

1) I'm not sure if this CVE is valid for the xpdf upstream in the first place.
2) Even if it is, it may be fixed already.

I asked upstream for clarification:
https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968
Comment 7 Andrew Savchenko gentoo-dev 2020-04-14 10:54:43 UTC
(In reply to Andrew Savchenko from comment #6)
> I'm saying that:
> 
> 1) I'm not sure if this CVE is valid for the xpdf upstream in the first
> place.
> 2) Even if it is, it may be fixed already.
> 
> I asked upstream for clarification:
> https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968

Upstream says that CVE-2019-9878 is a duplicate of CVE-2018-18455, which was fixed in Xpdf 4.01:
https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968#p42895

Security team, please close this bug.
Comment 8 Sam James archtester gentoo-dev Security 2020-04-21 23:22:13 UTC
(In reply to Andrew Savchenko from comment #7)
> (In reply to Andrew Savchenko from comment #6)
> > I'm saying that:
> > 
> > 1) I'm not sure if this CVE is valid for the xpdf upstream in the first
> > place.
> > 2) Even if it is, it may be fixed already.
> > 
> > I asked upstream for clarification:
> > https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968
> 
> Upstream says that CVE-2019-9878 is a duplicate of CVE-2018-18455, which was
> fixed in Xpdf 4.01:
> https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968#p42895
> 
> Security team, please close this bug.

Thanks for the investigation.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-04-21 23:22:45 UTC
CVE-2019-16115 (https://nvd.nist.gov/vuln/detail/CVE-2019-16115):
  In Xpdf 4.01.01, a stack-based buffer under-read could be triggered in
  IdentityFunction::transform in Function.cc, used by
  GfxAxialShading::getColor. It can, for example, be triggered by sending a
  crafted PDF document to the pdftoppm tool. It allows an attacker to use a
  crafted PDF file to cause Denial of Service or possibly unspecified other
  impact.

CVE-2019-16088 (https://nvd.nist.gov/vuln/detail/CVE-2019-16088):
  Xpdf 3.04 has a SIGSEGV in XRef::fetch in XRef.cc after many recursive calls
  to Catalog::countPageTree in Catalog.cc.

CVE-2019-15860 (https://nvd.nist.gov/vuln/detail/CVE-2019-15860):
  Xpdf 2.00 allows a SIGSEGV in XRef::constructXRef in XRef.cc. NOTE: 2.00 is
  a version from November 2002.

CVE-2019-14294 (https://nvd.nist.gov/vuln/detail/CVE-2019-14294):
  An issue was discovered in Xpdf 4.01.01. There is a use-after-free in the
  function JPXStream::fillReadBuf at JPXStream.cc, due to an out of bounds
  read.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-04-21 23:23:09 UTC
CVE-2019-14293 (https://nvd.nist.gov/vuln/detail/CVE-2019-14293):
  An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in
  the function GfxPatchMeshShading::parse at GfxState.cc for typeA!=6 case 2.

CVE-2019-14292 (https://nvd.nist.gov/vuln/detail/CVE-2019-14292):
  An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in
  the function GfxPatchMeshShading::parse at GfxState.cc for typeA!=6 case 1.

CVE-2019-14291 (https://nvd.nist.gov/vuln/detail/CVE-2019-14291):
  An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in
  the function GfxPatchMeshShading::parse at GfxState.cc for typeA==6 case 3.

CVE-2019-14290 (https://nvd.nist.gov/vuln/detail/CVE-2019-14290):
  An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in
  the function GfxPatchMeshShading::parse at GfxState.cc for typeA==6 case 2.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-04-21 23:23:28 UTC
CVE-2019-14289 (https://nvd.nist.gov/vuln/detail/CVE-2019-14289):
  An issue was discovered in Xpdf 4.01.01. There is an integer overflow in the
  function JBIG2Bitmap::combine at JBIG2Stream.cc for the "multiple bytes per
  line" case.

CVE-2019-14288 (https://nvd.nist.gov/vuln/detail/CVE-2019-14288):
  An issue was discovered in Xpdf 4.01.01. There is an Integer overflow in the
  function JBIG2Bitmap::combine at JBIG2Stream.cc for the "one byte per line"
  case.
Comment 12 Sam James archtester gentoo-dev Security 2020-04-21 23:28:59 UTC
@maintainer: no further action needed, thank you.

Let's call this fixed in 4.0.2. There are *far* too many CVEs here, some with duplicate fixes, and so on. Not all have been referenced in changelogs either.

It looks like we're done as of the latest version.