Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 196735 - app-text/poppler < 0.6.1-r1 Multiple issues in XPDF code (CVE-2007-{4352|5392|5393})
Summary: app-text/poppler < 0.6.1-r1 Multiple issues in XPDF code (CVE-2007-{4352|5392...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27260/
Whiteboard: B2 [glsa]
Keywords:
: 198616 198706 (view as bug list)
Depends on: CVE-2007-0650 198238 198409
Blocks: 176081
  Show dependency tree
 
Reported: 2007-10-22 19:50 UTC by Sune Kloppenborg Jeppesen
Modified: 2020-04-03 07:01 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
poppler-0.6.1-xpdf-3.02pl2.patch (poppler-0.6.1-xpdf-3.02pl2.patch,17.00 KB, patch)
2007-11-02 02:32 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
xpdf-3.02pl2.patch (xpdf-3.02pl2.patch,20.35 KB, patch)
2007-11-07 11:35 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-10-22 19:50:06 UTC
Secunia Research has discovered some vulnerabilities in Xpdf, which can
be exploited by malicious people to compromise a user's system.

1) An array indexing error exists within the
"DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc. This
can be exploited to corrupt memory via a specially crafted PDF file.

2) An integer overflow error exists within the "DCTStream::reset()"
method in xpdf/Stream.cc. This can be exploited to cause a heap-based
buffer overflow via a specially crafted PDF file.

Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.

3) A boundary error exists within the "CCITTFaxStream::lookChar()"
method in xpdf/Stream.cc. This can be exploited to cause a heap-based
buffer overflow by tricking a user into opening a PDF file containing a
specially crafted "CCITTFaxDecode" filter.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are confirmed in Xpdf 3.02. Other versions may also
be affected.

Vulnerability Details:
----------------------

1) The vulnerability is caused by missing checks when indexing the
"dctZigZag" array in xpdf/Stream.cc at lines 2405, 2429, 2454, 2476 and
2484. 

2) The vulnerability is present in xpdf/Stream.cc at line 1967.

3) The vulnerability can be triggered when filling the "codingLine"
array in xpdf/Stream.cc at lines 1373, 1375, 1379, 1381, 1480 or 1489.
This is triggered when the sum of all black and white codes is smaller
than the "/Columns" parameter in "/DecodeParms" (e.g. "getWhiteCode()"
constantly returns 0 and "getBlackCode()" constantly returns 1).   


Closing comments:
-----------------

We have assigned these vulnerabilities Secunia advisory SA27260 and the
following CVE identifiers:
1) CVE-2007-4352
2) CVE-2007-5392
3) CVE-2007-5393

Upstream contacted.
Disclosure date: As soon as the vendor releases a patch, or 2007-10-31.
                 Note that this may be changed if the vendor requests it.

Credits:
Alin Rad Pop, Secunia Research.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-02 02:32:17 UTC
Created attachment 134985 [details, diff]
poppler-0.6.1-xpdf-3.02pl2.patch

Patch provided by Derek B. Noonburg, recreated to apply to poppler 0.6.1.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-02 02:33:37 UTC
Hi Stefan, if you want stable testing before the disclosure date please attach
updated ebuilds to this bug. Do not commit anything yet.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-05 21:36:32 UTC
Adding Timo as part of printing in case he wants to test this. Still, please do not commit anything.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 11:35:46 UTC
Created attachment 135418 [details, diff]
xpdf-3.02pl2.patch

The original xpdf patch against 3.02pl1.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 11:36:30 UTC
Adding Alexis for tex.
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2007-11-07 19:34:57 UTC
This one is public now. Do we have a list of affected packages?
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 23:24:22 UTC
From our embedded-copies list:

== XPDF ==
* app-text/poppler
* app-text/tetex
* app-text/cstetex
* app-text/ptex
* app-office/kword
* app-office/koffice
* kde-base/kpdf
* kde-base/kdegraphics

False positives:
* media-libs/libextractor: Since 0.5.12 libextractor is shipping its own PDF support
  and at least in 0.5.15 it is also enabled by default.
* net-print/cups: Uses poppler
* app-text/xpdf: Uses poppler
* gnustep-libs/pdfkit: removed
* gnustep-libs/imagekits: removed
* okular (kpdf in kde 4): Uses poppler
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 23:29:03 UTC
teTex is being handled in bug 198238.
Comment 9 Alexis Ballier gentoo-dev 2007-11-07 23:33:14 UTC
fixed in:
- texlive-core-2007-r6
- tetex-3.0_p1-r5

for ptex, better ping cjk

for cstetex, I dont know, I've mailed the person who was helping us maintaining it to know it status, if no answer I'll last rite it.

Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-11-07 23:53:25 UTC
The bugs blocking this one handle this issue in the packages mentioned in comment 7.

printing, any progress on poppler?
Comment 11 Timo Gurr (RETIRED) gentoo-dev 2007-11-08 23:38:46 UTC
Fixed in poppler-0.6.1-r1, applies your attached patch.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-11-09 09:54:49 UTC
Thanks, Timo.

Arches, please test and mark stable app-text/poppler-0.6.1-r1.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"

Please do not mind the bugs blocking this one.
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-09 14:45:31 UTC
Don't forget app-text/poppler-bindings-0.6.1
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-09 16:19:56 UTC
x86 stable
Comment 15 Ferris McCormick (RETIRED) gentoo-dev 2007-11-09 17:03:12 UTC
Sparc stable for app-text/poppler-0.6.1-r1 and app-text/poppler-bindings-0.6.1.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2007-11-10 00:12:18 UTC
ppc64 stable
Comment 17 Stefan Schweizer (RETIRED) gentoo-dev 2007-11-10 08:17:19 UTC
Don't forget app-text/evince-2.20.1, because older versions break with the new poppler.
Comment 18 Stefan Schweizer (RETIRED) gentoo-dev 2007-11-10 08:18:15 UTC
*** Bug 198616 has been marked as a duplicate of this bug. ***
Comment 19 Markus Rothe (RETIRED) gentoo-dev 2007-11-10 10:13:28 UTC
ppc64 stable:

app-text/poppler-0.6.1-r1
app-text/poppler-bindings-0.6.1
app-text/evince-2.20.1
Comment 20 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-10 12:52:38 UTC
evince done for x86
Comment 21 Ferris McCormick (RETIRED) gentoo-dev 2007-11-10 13:18:00 UTC
Sparc done for evince-2.20.1
Comment 22 Jakub Moc (RETIRED) gentoo-dev 2007-11-10 16:21:44 UTC
*** Bug 198706 has been marked as a duplicate of this bug. ***
Comment 23 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-11-10 19:02:26 UTC
amd64 done.
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2007-11-11 11:05:43 UTC
alpha/ia64 stable
Comment 25 Jeroen Roovers gentoo-dev 2007-11-12 12:06:30 UTC
Stable for HPPA.
Comment 26 Jeroen Roovers gentoo-dev 2007-11-12 12:11:40 UTC
Oh, I didn't do evince yet.
Comment 27 Jeroen Roovers gentoo-dev 2007-11-12 12:42:05 UTC
Evince stable for HPPA too.
Comment 28 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-14 22:14:48 UTC
ppc stable - and from what i've heard the glsa is coming soon ...
Comment 29 Stefan Schweizer (RETIRED) gentoo-dev 2007-11-18 11:57:17 UTC
app-text/poppler-0.6.1-r1
app-text/poppler-bindings-0.6.1
app-text/evince-2.20.1
app-text/xpdf-3.02

The new one is xpdf here, because 3.01 gets broken with this new xpdf.
Comment 30 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 14:38:07 UTC
Arches, please test and mark stable app-text/xpdf-3.02.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"
Already stabled : "x86"
Missing keywords: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc"
Comment 31 Ferris McCormick (RETIRED) gentoo-dev 2007-11-18 16:40:09 UTC
Sparc stable for app-text/xpdf-3.02.
Comment 32 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-18 17:03:22 UTC
xpdf stable for ppc
Comment 33 Jeroen Roovers gentoo-dev 2007-11-18 17:35:12 UTC
Stable for HPPA.
Comment 34 Markus Rothe (RETIRED) gentoo-dev 2007-11-18 17:37:21 UTC
ppc64 stable
Comment 35 Samuli Suominen gentoo-dev 2007-11-18 18:11:45 UTC
amd64 stable for xpdf-3.02, shouldn't 176081 be marked as duplicate of this? confusing.
Comment 36 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 18:32:01 UTC
(In reply to comment #35)
> amd64 stable for xpdf-3.02, shouldn't 176081 be marked as duplicate of this?
> confusing.

Sorry, I accidently did not remove arches from that bug. I'll leave it up to the assignee to close.
Comment 37 Raúl Porcel (RETIRED) gentoo-dev 2007-11-18 20:31:17 UTC
alpha/ia64 stable
Comment 38 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 20:36:11 UTC
back to [glsa]
Comment 39 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-18 21:00:13 UTC
GLSA 200711-22
Comment 40 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:45:43 UTC
Does not affect current (2008.0) release. Removing release.