Secunia Research has discovered some vulnerabilities in Xpdf, which can be exploited by malicious people to compromise a user's system. 1) An array indexing error exists within the "DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc. This can be exploited to corrupt memory via a specially crafted PDF file. 2) An integer overflow error exists within the "DCTStream::reset()" method in xpdf/Stream.cc. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. 3) A boundary error exists within the "CCITTFaxStream::lookChar()" method in xpdf/Stream.cc. This can be exploited to cause a heap-based buffer overflow by tricking a user into opening a PDF file containing a specially crafted "CCITTFaxDecode" filter. Successful exploitation allows execution of arbitrary code. The vulnerabilities are confirmed in Xpdf 3.02. Other versions may also be affected. Vulnerability Details: ---------------------- 1) The vulnerability is caused by missing checks when indexing the "dctZigZag" array in xpdf/Stream.cc at lines 2405, 2429, 2454, 2476 and 2484. 2) The vulnerability is present in xpdf/Stream.cc at line 1967. 3) The vulnerability can be triggered when filling the "codingLine" array in xpdf/Stream.cc at lines 1373, 1375, 1379, 1381, 1480 or 1489. This is triggered when the sum of all black and white codes is smaller than the "/Columns" parameter in "/DecodeParms" (e.g. "getWhiteCode()" constantly returns 0 and "getBlackCode()" constantly returns 1). Closing comments: ----------------- We have assigned these vulnerabilities Secunia advisory SA27260 and the following CVE identifiers: 1) CVE-2007-4352 2) CVE-2007-5392 3) CVE-2007-5393 Upstream contacted. Disclosure date: As soon as the vendor releases a patch, or 2007-10-31. Note that this may be changed if the vendor requests it. Credits: Alin Rad Pop, Secunia Research.
Created attachment 134985 [details, diff] poppler-0.6.1-xpdf-3.02pl2.patch Patch provided by Derek B. Noonburg, recreated to apply to poppler 0.6.1.
Hi Stefan, if you want stable testing before the disclosure date please attach updated ebuilds to this bug. Do not commit anything yet.
Adding Timo as part of printing in case he wants to test this. Still, please do not commit anything.
Created attachment 135418 [details, diff] xpdf-3.02pl2.patch The original xpdf patch against 3.02pl1.
Adding Alexis for tex.
This one is public now. Do we have a list of affected packages?
From our embedded-copies list: == XPDF == * app-text/poppler * app-text/tetex * app-text/cstetex * app-text/ptex * app-office/kword * app-office/koffice * kde-base/kpdf * kde-base/kdegraphics False positives: * media-libs/libextractor: Since 0.5.12 libextractor is shipping its own PDF support and at least in 0.5.15 it is also enabled by default. * net-print/cups: Uses poppler * app-text/xpdf: Uses poppler * gnustep-libs/pdfkit: removed * gnustep-libs/imagekits: removed * okular (kpdf in kde 4): Uses poppler
teTex is being handled in bug 198238.
fixed in: - texlive-core-2007-r6 - tetex-3.0_p1-r5 for ptex, better ping cjk for cstetex, I dont know, I've mailed the person who was helping us maintaining it to know it status, if no answer I'll last rite it.
The bugs blocking this one handle this issue in the packages mentioned in comment 7. printing, any progress on poppler?
Fixed in poppler-0.6.1-r1, applies your attached patch.
Thanks, Timo. Arches, please test and mark stable app-text/poppler-0.6.1-r1. Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86" Please do not mind the bugs blocking this one.
Don't forget app-text/poppler-bindings-0.6.1
x86 stable
Sparc stable for app-text/poppler-0.6.1-r1 and app-text/poppler-bindings-0.6.1.
ppc64 stable
Don't forget app-text/evince-2.20.1, because older versions break with the new poppler.
*** Bug 198616 has been marked as a duplicate of this bug. ***
ppc64 stable: app-text/poppler-0.6.1-r1 app-text/poppler-bindings-0.6.1 app-text/evince-2.20.1
evince done for x86
Sparc done for evince-2.20.1
*** Bug 198706 has been marked as a duplicate of this bug. ***
amd64 done.
alpha/ia64 stable
Stable for HPPA.
Oh, I didn't do evince yet.
Evince stable for HPPA too.
ppc stable - and from what i've heard the glsa is coming soon ...
app-text/poppler-0.6.1-r1 app-text/poppler-bindings-0.6.1 app-text/evince-2.20.1 app-text/xpdf-3.02 The new one is xpdf here, because 3.01 gets broken with this new xpdf.
Arches, please test and mark stable app-text/xpdf-3.02. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86" Already stabled : "x86" Missing keywords: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc"
Sparc stable for app-text/xpdf-3.02.
xpdf stable for ppc
amd64 stable for xpdf-3.02, shouldn't 176081 be marked as duplicate of this? confusing.
(In reply to comment #35) > amd64 stable for xpdf-3.02, shouldn't 176081 be marked as duplicate of this? > confusing. Sorry, I accidently did not remove arches from that bug. I'll leave it up to the assignee to close.
back to [glsa]
GLSA 200711-22
Does not affect current (2008.0) release. Removing release.