Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 840873 (CVE-2021-27548, CVE-2022-24106, CVE-2022-27135) - <app-text/xpdf-4.04: multiple vulnerabilities
Summary: <app-text/xpdf-4.04: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-27548, CVE-2022-24106, CVE-2022-27135
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [stable]
Keywords:
Depends on: 856010
Blocks:
  Show dependency tree
 
Reported: 2022-04-26 00:26 UTC by John Helmert III
Modified: 2022-07-02 22:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-26 00:26:08 UTC
CVE-2022-27135 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42232):

xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc. An attacker can exploit this bug to cause a Denial of Service (Segmentation fault) or other unspecified effects by sending a crafted PDF file to the pdftoppm binary.

https://forum.xpdfreader.com/viewtopic.php?f=3&t=42197

"Fixed in the next release".
Comment 1 Andrew Savchenko gentoo-dev 2022-04-26 23:01:07 UTC
I'm planning an update at the bigginning of May.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-12 02:54:08 UTC
CVE-2022-30524 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42261):

There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Comment 3 Larry the Git Cow gentoo-dev 2022-05-15 13:58:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7de5ff2a819eb06c7cb3ae30728a82670f0462f6

commit 7de5ff2a819eb06c7cb3ae30728a82670f0462f6
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2022-05-15 13:49:16 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2022-05-15 13:57:09 +0000

    app-text/xpdf: Update to 4.04.
    
    This fixes numerous security issues.
    
    Bug: https://bugs.gentoo.org/840873
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest         |   2 +
 app-text/xpdf/xpdf-4.04.ebuild | 149 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 151 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-15 15:30:40 UTC
Please stabilize when ready
Comment 5 Andrew Savchenko gentoo-dev 2022-05-15 17:04:59 UTC
Just to avoid confusion:

This update fixes CVE-2022-27135, CVE-2022-24106, but not CVE-2022-30524. It also fixes other security issues, most likely without CVE:

Added a missing bounds check on stream DecodeParms arrays.  [Thanks to
  minipython for the bug report.]
Fixed an integer overflow check in XRef::readXRefTable.  [Thanks to
  yangshufan for the bug report.] <-- This is CVE-2022-27135
Added missing array length and type checks in Gfx::doForm().  [Thanks
  to shaohua for the bug report.]
Fixed an integer overflow security hole in the JBIG2 decoder.
Added an integer overflow check in JPXStream.  (JPXStream issue)
  [Thanks to Shin Ando @ Ricera Security for the bug report.]
The DCT (JPEG) decoder was allowing the 'interleaved' flag to be
  changed after the first scan of the image.  (CVE-2022-24106) [Thanks
  to Shin Ando @ Ricera Security for the bug report.]
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-16 16:38:28 UTC
(In reply to Andrew Savchenko from comment #5)
> Just to avoid confusion:
> 
> This update fixes CVE-2022-27135, CVE-2022-24106, but not CVE-2022-30524. It
> also fixes other security issues, most likely without CVE:
> 
> Added a missing bounds check on stream DecodeParms arrays.  [Thanks to
>   minipython for the bug report.]
> Fixed an integer overflow check in XRef::readXRefTable.  [Thanks to
>   yangshufan for the bug report.] <-- This is CVE-2022-27135
> Added missing array length and type checks in Gfx::doForm().  [Thanks
>   to shaohua for the bug report.]
> Fixed an integer overflow security hole in the JBIG2 decoder.
> Added an integer overflow check in JPXStream.  (JPXStream issue)
>   [Thanks to Shin Ando @ Ricera Security for the bug report.]
> The DCT (JPEG) decoder was allowing the 'interleaved' flag to be
>   changed after the first scan of the image.  (CVE-2022-24106) [Thanks
>   to Shin Ando @ Ricera Security for the bug report.]

Thanks, popping the unfixed CVE into another bug.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-18 17:29:07 UTC
CVE-2021-27548 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42115):

There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.

Seems this is also fixed in 4.04 based on this forum post?
Comment 8 Andrew Savchenko gentoo-dev 2022-07-02 17:56:55 UTC
(In reply to John Helmert III from comment #7)
> CVE-2021-27548 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42115):
> 
> There is a Null Pointer Dereference vulnerability in the
> XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.
> 
> Seems this is also fixed in 4.04 based on this forum post?

Yet, this issue is fixed in 4.04:

Added a missing null check in the XFA form scanner.  [Thanks to Taolaw
  for the bug report.]
Comment 9 Andrew Savchenko gentoo-dev 2022-07-02 17:57:54 UTC
xpdf-4.04 is ready for stabilization
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-02 22:36:56 UTC
Andrew, it was announced almost a year ago that stabilization no longer happens in security bugs: https://archives.gentoo.org/gentoo-dev-announce/message/66f1227144d451eac3c1f641771be557

Also, it's better to rely on nattka to CC arch aliases so that they are only brought in when a bug is really ready for them.