Bug 755938 (CVE-2020-25725, CVE-2020-35376)

Summary:	<app-text/xpdf-4.03: multiple vulnerabilities (CVE-2020-{25725,35376})
Product:	Gentoo Security	Reporter:	filip ambroz <filip.ambroz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	bircoph, maintainer-needed
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://forum.xpdfreader.com/viewtopic.php?f=3&t=41915
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	740260

Description filip ambroz 2020-11-21 12:21:17 UTC

In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font.

Links:
https://nvd.nist.gov/vuln/detail/CVE-2020-25725
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25725

Reproducible: Always

Comment 1 John Helmert III archtester

2020-12-27 18:24:24 UTC

CVE-2020-35376 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42066):

Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function.


Can't find a vcs repository for xpdf so I can't tell if there's a patch we can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we have, in fact)

Comment 2 Andrew Savchenko gentoo-dev

2020-12-27 21:38:21 UTC

(In reply to John Helmert III (ajak) from comment #1)
> Can't find a vcs repository for xpdf so I can't tell if there's a patch we
> can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we
> have, in fact)

xpdf releases the source code only in tarballs, we'll have to wait until a new version will be published.

Comment 3 Sam James archtester

2021-01-28 21:25:51 UTC

(In reply to Andrew Savchenko from comment #2)
> (In reply to John Helmert III (ajak) from comment #1)
> > Can't find a vcs repository for xpdf so I can't tell if there's a patch we
> > can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we
> > have, in fact)
> 
> xpdf releases the source code only in tarballs, we'll have to wait until a
> new version will be published.

4.03 is out now.

Comment 4 Andrew Savchenko gentoo-dev

2021-01-30 07:07:22 UTC

Both CVEs are fixed in the 4.03:

Check for infinite loops in Type 1C charstring subroutines.  [Thanks
  to blbi for the bug report.]

The Type 3 font cache code wasn't correctly handling the case where a
  Type 3 char refers to another char in the same T3 font.  [Thanks to
  Pangu Lab for the bug report.]

Will update in a while.

Comment 5 Larry the Git Cow gentoo-dev

2021-01-30 09:52:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee2f467df6f1d70f5d7e7741ac264c6d2893d323

commit ee2f467df6f1d70f5d7e7741ac264c6d2893d323
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-01-30 09:47:21 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-01-30 09:51:59 +0000

    app-text/xpdf: version bump
    
    This is mostly a bugfix release, it fixes plentiful of bugs (see
    CHANGES) including many security issues, including but not limited
    to CVE-2020-{25725,35376}.
    
    Bug: https://bugs.gentoo.org/755938
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest         |   1 +
 app-text/xpdf/xpdf-4.03.ebuild | 146 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 147 insertions(+)

Comment 6 Sam James archtester

2021-01-30 10:00:32 UTC

Thanks, tell us when ready to stable.

Comment 7 Andrew Savchenko gentoo-dev

2021-02-06 09:29:54 UTC

Arch teams, please stabilize app-text/xpdf-4.03.

Comment 8 Sam James archtester

2021-02-08 17:27:04 UTC

x86 done

Comment 9 Sam James archtester

2021-02-09 09:47:31 UTC

amd64 done

all arches done

Comment 10 Sam James archtester

2021-02-09 09:49:01 UTC

Please cleanup.

Comment 11 Larry the Git Cow gentoo-dev

2021-02-14 14:45:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8db9d6432f54c3bea1b4d30e9cecd5eea18d1aed

commit 8db9d6432f54c3bea1b4d30e9cecd5eea18d1aed
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-02-14 13:27:36 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-02-14 14:45:17 +0000

    app-text/xpdf: remove old
    
    Bug: https://bugs.gentoo.org/755938
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest                        |   1 -
 app-text/xpdf/files/xpdf-CVE-2019-17064.patch |  24 -----
 app-text/xpdf/xpdf-4.02-r4.ebuild             | 145 --------------------------
 3 files changed, 170 deletions(-)

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:25:16 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:33:48 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 17:41:41 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 15 NATTkA bot gentoo-dev

2021-07-29 17:49:51 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 16 NATTkA bot gentoo-dev

2021-07-29 18:05:45 UTC

Package list is empty or all packages have requested keywords.

Comment 17 Andrew Savchenko gentoo-dev

2022-05-15 09:14:53 UTC

Dear security team,
it looks like this bug needs to be closed as fixed.