Summary: | <app-text/xpdf-4.04: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | normal | CC: | bircoph, maintainer-needed |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 856010 | ||
Bug Blocks: |
Description
John Helmert III
2022-04-26 00:26:08 UTC
I'm planning an update at the bigginning of May. CVE-2022-30524 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42261): There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7de5ff2a819eb06c7cb3ae30728a82670f0462f6 commit 7de5ff2a819eb06c7cb3ae30728a82670f0462f6 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2022-05-15 13:49:16 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2022-05-15 13:57:09 +0000 app-text/xpdf: Update to 4.04. This fixes numerous security issues. Bug: https://bugs.gentoo.org/840873 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 2 + app-text/xpdf/xpdf-4.04.ebuild | 149 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+) Please stabilize when ready Just to avoid confusion: This update fixes CVE-2022-27135, CVE-2022-24106, but not CVE-2022-30524. It also fixes other security issues, most likely without CVE: Added a missing bounds check on stream DecodeParms arrays. [Thanks to minipython for the bug report.] Fixed an integer overflow check in XRef::readXRefTable. [Thanks to yangshufan for the bug report.] <-- This is CVE-2022-27135 Added missing array length and type checks in Gfx::doForm(). [Thanks to shaohua for the bug report.] Fixed an integer overflow security hole in the JBIG2 decoder. Added an integer overflow check in JPXStream. (JPXStream issue) [Thanks to Shin Ando @ Ricera Security for the bug report.] The DCT (JPEG) decoder was allowing the 'interleaved' flag to be changed after the first scan of the image. (CVE-2022-24106) [Thanks to Shin Ando @ Ricera Security for the bug report.] (In reply to Andrew Savchenko from comment #5) > Just to avoid confusion: > > This update fixes CVE-2022-27135, CVE-2022-24106, but not CVE-2022-30524. It > also fixes other security issues, most likely without CVE: > > Added a missing bounds check on stream DecodeParms arrays. [Thanks to > minipython for the bug report.] > Fixed an integer overflow check in XRef::readXRefTable. [Thanks to > yangshufan for the bug report.] <-- This is CVE-2022-27135 > Added missing array length and type checks in Gfx::doForm(). [Thanks > to shaohua for the bug report.] > Fixed an integer overflow security hole in the JBIG2 decoder. > Added an integer overflow check in JPXStream. (JPXStream issue) > [Thanks to Shin Ando @ Ricera Security for the bug report.] > The DCT (JPEG) decoder was allowing the 'interleaved' flag to be > changed after the first scan of the image. (CVE-2022-24106) [Thanks > to Shin Ando @ Ricera Security for the bug report.] Thanks, popping the unfixed CVE into another bug. CVE-2021-27548 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42115): There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. Seems this is also fixed in 4.04 based on this forum post? (In reply to John Helmert III from comment #7) > CVE-2021-27548 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42115): > > There is a Null Pointer Dereference vulnerability in the > XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. > > Seems this is also fixed in 4.04 based on this forum post? Yet, this issue is fixed in 4.04: Added a missing null check in the XFA form scanner. [Thanks to Taolaw for the bug report.] xpdf-4.04 is ready for stabilization Andrew, it was announced almost a year ago that stabilization no longer happens in security bugs: https://archives.gentoo.org/gentoo-dev-announce/message/66f1227144d451eac3c1f641771be557 Also, it's better to rely on nattka to CC arch aliases so that they are only brought in when a bug is really ready for them. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9acdf0acbed78a5c950374c190da2ccdfa640c5f commit 9acdf0acbed78a5c950374c190da2ccdfa640c5f Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2022-07-26 10:38:55 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2022-07-26 15:00:10 +0000 app-text/xpdf: drop 4.03 Bug: https://bugs.gentoo.org/840873 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 - app-text/xpdf/xpdf-4.03.ebuild | 146 ----------------------------------------- 2 files changed, 147 deletions(-) CVE-2022-38171: Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readSymbolDictSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics). CVE-2022-24107: No idea! I only found it thanks to https://www.xpdfreader.com/security-fixes.html. |