In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font. Links: https://nvd.nist.gov/vuln/detail/CVE-2020-25725 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25725 Reproducible: Always
CVE-2020-35376 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42066): Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function. Can't find a vcs repository for xpdf so I can't tell if there's a patch we can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we have, in fact)
(In reply to John Helmert III (ajak) from comment #1) > Can't find a vcs repository for xpdf so I can't tell if there's a patch we > can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we > have, in fact) xpdf releases the source code only in tarballs, we'll have to wait until a new version will be published.
(In reply to Andrew Savchenko from comment #2) > (In reply to John Helmert III (ajak) from comment #1) > > Can't find a vcs repository for xpdf so I can't tell if there's a patch we > > can fetch from somewhere. (Same goes for all the xpdf vulnerabilities we > > have, in fact) > > xpdf releases the source code only in tarballs, we'll have to wait until a > new version will be published. 4.03 is out now.
Both CVEs are fixed in the 4.03: Check for infinite loops in Type 1C charstring subroutines. [Thanks to blbi for the bug report.] The Type 3 font cache code wasn't correctly handling the case where a Type 3 char refers to another char in the same T3 font. [Thanks to Pangu Lab for the bug report.] Will update in a while.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee2f467df6f1d70f5d7e7741ac264c6d2893d323 commit ee2f467df6f1d70f5d7e7741ac264c6d2893d323 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2021-01-30 09:47:21 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2021-01-30 09:51:59 +0000 app-text/xpdf: version bump This is mostly a bugfix release, it fixes plentiful of bugs (see CHANGES) including many security issues, including but not limited to CVE-2020-{25725,35376}. Bug: https://bugs.gentoo.org/755938 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 + app-text/xpdf/xpdf-4.03.ebuild | 146 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+)
Thanks, tell us when ready to stable.
Arch teams, please stabilize app-text/xpdf-4.03.
x86 done
amd64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8db9d6432f54c3bea1b4d30e9cecd5eea18d1aed commit 8db9d6432f54c3bea1b4d30e9cecd5eea18d1aed Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2021-02-14 13:27:36 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2021-02-14 14:45:17 +0000 app-text/xpdf: remove old Bug: https://bugs.gentoo.org/755938 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 - app-text/xpdf/files/xpdf-CVE-2019-17064.patch | 24 ----- app-text/xpdf/xpdf-4.02-r4.ebuild | 145 -------------------------- 3 files changed, 170 deletions(-)
Package list is empty or all packages have requested keywords.
Dear security team, it looks like this bug needs to be closed as fixed.