Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 845027 (CVE-2022-30524, CVE-2022-30775, CVE-2022-38222, CVE-2022-38928, CVE-2022-41843)

Summary: <app-text/xpdf-4.05: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: bircoph, maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://forum.xpdfreader.com/viewtopic.php?f=3&t=42261
Whiteboard: B3 [stable?]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-16 16:39:56 UTC 
CVE-2022-30524:

There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-16 17:00:32 UTC 
CVE-2022-30775 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42264):

xpdf 4.04 allocates excessive memory when presented with crafted input. This can be triggered by (for example) sending a crafted PDF document to the pdftoppm binary. It is most easily reproduced with the DCMAKE_CXX_COMPILER=afl-clang-fast++ option.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-23 01:40:57 UTC 
Both "fixed in the next release" as of May, so not in 4.04.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-21 20:24:31 UTC 
CVE-2022-38928 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42325&sid=7b08ba9a518a99ce3c5ff40e53fc6421):

XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-30 15:13:13 UTC 
CVE-2022-38222 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42320):

There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.

CVE-2022-41843 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42325&sid=7b08ba9a518a99ce3c5ff40e53fc6421):
https://forum.xpdfreader.com/viewtopic.php?f=1&t=42344

An issue was discovered in Xpdf 4.04. There is a crash in convertToType0 in fofi/FoFiType1C.cc, a different vulnerability than CVE-2022-38928.

These too "fixed in next release".
Comment 5 Larry the Git Cow gentoo-dev 2024-07-20 21:12:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47a254308b64f4462a3cdcc7ce49655b41b7bdb5

commit 47a254308b64f4462a3cdcc7ce49655b41b7bdb5
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2024-07-20 21:04:06 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2024-07-20 21:12:13 +0000

    app-text/xpdf: add 4.05
    
    * Add qt6 support per bug 925519, use updated font-paths patch from
    Andrii Batyiev.
    
    * Update simplified Chinese and Korean language support packages.
    
    * Fix the following CVEs:
      - CVE-2018-7453 PDF object loop in AcroForm::scanField
      - CVE-2018-16369 PDF object loop in AcroForm::scanField
      - CVE-2019-9587 PDF object loop in Catalog::countPageTree
      - CVE-2019-9588 PDF object loop in Catalog::countPageTree
      - CVE-2019-16088 PDF object loop in Catalog::countPageTree
      - CVE-2022-30524 logic bug in text extractor led to invalid memory access
      - CVE-2022-30775 integer overflow in rasterizer
      - CVE-2022-33108 PDF object loop in Catalog::countPageTree
      - CVE-2022-36561 PDF object loop in AcroForm::scanField
      - CVE-2022-38222 logic bug in JBIG2 decoder
      - CVE-2022-38334 PDF object loop in Catalog::countPageTree
      - CVE-2022-38928 missing bounds check in CFF font converter caused null
                       pointer dereference
      - CVE-2022-41842 PDF object loop in Catalog::countPageTree
      - CVE-2022-41843 missing bounds check in CFF font parser caused invalid
                       memory access
      - CVE-2022-41844 PDF object loop in AcroForm::scanField
      - CVE-2022-43071 PDF object loop in Catalog::readPageLabelTree2
      - CVE-2022-43295 PDF object loop in Catalog::countPageTree
      - CVE-2022-45586 PDF object loop in Catalog::countPageTree
      - CVE-2022-45587 PDF object loop in Catalog::countPageTree
      - CVE-2023-2662 Divide-by-zero in Xpdf 4.04 due to bad color space object
      - CVE-2023-2663 PDF object loop in Catalog::readPageLabelTree2
      - CVE-2023-2664 PDF object loop in Catalog::readEmbeddedFileTree
      - CVE-2023-3044 Divide-by-zero in Xpdf 4.04 due to very large page size
      - CVE-2023-3436 Deadlock in Xpdf 4.04 due to PDF object stream references
    
    Closes: https://bugs.gentoo.org/925519
    Bug: https://bugs.gentoo.org/845027
    Bug: https://bugs.gentoo.org/856475
    Bug: https://bugs.gentoo.org/881351
    Bug: https://bugs.gentoo.org/908037
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest                         |   4 +
 app-text/xpdf/files/xpdf-4.05-font-paths.patch |  46 +++++++
 app-text/xpdf/xpdf-4.05.ebuild                 | 161 +++++++++++++++++++++++++
 3 files changed, 211 insertions(+)
Comment 6 Andrew Savchenko gentoo-dev 2024-07-20 21:20:02 UTC 
Please note that all CVEs mentioned in this bug's alias are fixed in xpdf-4.05.