Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 755938 (CVE-2020-25725, CVE-2020-35376)

Summary: <app-text/xpdf-4.03: multiple vulnerabilities (CVE-2020-{25725,35376})
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: bircoph
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41915
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 740260    

Description filip ambroz 2020-11-21 12:21:17 UTC
In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font.

Links:
https://nvd.nist.gov/vuln/detail/CVE-2020-25725
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25725

Reproducible: Always
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-27 18:24:24 UTC
CVE-2020-35376 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42066):

Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function.


Can't find a vcs repository for xpdf so I can't tell if there's a patch we can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we have, in fact)
Comment 2 Andrew Savchenko gentoo-dev 2020-12-27 21:38:21 UTC
(In reply to John Helmert III (ajak) from comment #1)
> Can't find a vcs repository for xpdf so I can't tell if there's a patch we
> can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we
> have, in fact)

xpdf releases the source code only in tarballs, we'll have to wait until a new version will be published.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-28 21:25:51 UTC
(In reply to Andrew Savchenko from comment #2)
> (In reply to John Helmert III (ajak) from comment #1)
> > Can't find a vcs repository for xpdf so I can't tell if there's a patch we
> > can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we
> > have, in fact)
> 
> xpdf releases the source code only in tarballs, we'll have to wait until a
> new version will be published.

4.03 is out now.
Comment 4 Andrew Savchenko gentoo-dev 2021-01-30 07:07:22 UTC
Both CVEs are fixed in the 4.03:

Check for infinite loops in Type 1C charstring subroutines.  [Thanks
  to blbi for the bug report.]

The Type 3 font cache code wasn't correctly handling the case where a
  Type 3 char refers to another char in the same T3 font.  [Thanks to
  Pangu Lab for the bug report.]

Will update in a while.
Comment 5 Larry the Git Cow gentoo-dev 2021-01-30 09:52:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee2f467df6f1d70f5d7e7741ac264c6d2893d323

commit ee2f467df6f1d70f5d7e7741ac264c6d2893d323
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-01-30 09:47:21 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-01-30 09:51:59 +0000

    app-text/xpdf: version bump
    
    This is mostly a bugfix release, it fixes plentiful of bugs (see
    CHANGES) including many security issues, including but not limited
    to CVE-2020-{25725,35376}.
    
    Bug: https://bugs.gentoo.org/755938
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest         |   1 +
 app-text/xpdf/xpdf-4.03.ebuild | 146 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 147 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-30 10:00:32 UTC
Thanks, tell us when ready to stable.
Comment 7 Andrew Savchenko gentoo-dev 2021-02-06 09:29:54 UTC
Arch teams, please stabilize app-text/xpdf-4.03.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-08 17:27:04 UTC
x86 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-09 09:47:31 UTC
amd64 done

all arches done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-09 09:49:01 UTC
Please cleanup.
Comment 11 Larry the Git Cow gentoo-dev 2021-02-14 14:45:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8db9d6432f54c3bea1b4d30e9cecd5eea18d1aed

commit 8db9d6432f54c3bea1b4d30e9cecd5eea18d1aed
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-02-14 13:27:36 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-02-14 14:45:17 +0000

    app-text/xpdf: remove old
    
    Bug: https://bugs.gentoo.org/755938
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest                        |   1 -
 app-text/xpdf/files/xpdf-CVE-2019-17064.patch |  24 -----
 app-text/xpdf/xpdf-4.02-r4.ebuild             | 145 --------------------------
 3 files changed, 170 deletions(-)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:25:16 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:33:48 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:41:41 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 17:49:51 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 18:05:45 UTC
Package list is empty or all packages have requested keywords.
Comment 17 Andrew Savchenko gentoo-dev 2022-05-15 09:14:53 UTC
Dear security team,
it looks like this bug needs to be closed as fixed.