CVE-2022-30524: There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
CVE-2022-30775 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42264): xpdf 4.04 allocates excessive memory when presented with crafted input. This can be triggered by (for example) sending a crafted PDF document to the pdftoppm binary. It is most easily reproduced with the DCMAKE_CXX_COMPILER=afl-clang-fast++ option.
Both "fixed in the next release" as of May, so not in 4.04.
CVE-2022-38928 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42325&sid=7b08ba9a518a99ce3c5ff40e53fc6421): XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.
CVE-2022-38222 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42320): There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact. CVE-2022-41843 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42325&sid=7b08ba9a518a99ce3c5ff40e53fc6421): https://forum.xpdfreader.com/viewtopic.php?f=1&t=42344 An issue was discovered in Xpdf 4.04. There is a crash in convertToType0 in fofi/FoFiType1C.cc, a different vulnerability than CVE-2022-38928. These too "fixed in next release".
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47a254308b64f4462a3cdcc7ce49655b41b7bdb5 commit 47a254308b64f4462a3cdcc7ce49655b41b7bdb5 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2024-07-20 21:04:06 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2024-07-20 21:12:13 +0000 app-text/xpdf: add 4.05 * Add qt6 support per bug 925519, use updated font-paths patch from Andrii Batyiev. * Update simplified Chinese and Korean language support packages. * Fix the following CVEs: - CVE-2018-7453 PDF object loop in AcroForm::scanField - CVE-2018-16369 PDF object loop in AcroForm::scanField - CVE-2019-9587 PDF object loop in Catalog::countPageTree - CVE-2019-9588 PDF object loop in Catalog::countPageTree - CVE-2019-16088 PDF object loop in Catalog::countPageTree - CVE-2022-30524 logic bug in text extractor led to invalid memory access - CVE-2022-30775 integer overflow in rasterizer - CVE-2022-33108 PDF object loop in Catalog::countPageTree - CVE-2022-36561 PDF object loop in AcroForm::scanField - CVE-2022-38222 logic bug in JBIG2 decoder - CVE-2022-38334 PDF object loop in Catalog::countPageTree - CVE-2022-38928 missing bounds check in CFF font converter caused null pointer dereference - CVE-2022-41842 PDF object loop in Catalog::countPageTree - CVE-2022-41843 missing bounds check in CFF font parser caused invalid memory access - CVE-2022-41844 PDF object loop in AcroForm::scanField - CVE-2022-43071 PDF object loop in Catalog::readPageLabelTree2 - CVE-2022-43295 PDF object loop in Catalog::countPageTree - CVE-2022-45586 PDF object loop in Catalog::countPageTree - CVE-2022-45587 PDF object loop in Catalog::countPageTree - CVE-2023-2662 Divide-by-zero in Xpdf 4.04 due to bad color space object - CVE-2023-2663 PDF object loop in Catalog::readPageLabelTree2 - CVE-2023-2664 PDF object loop in Catalog::readEmbeddedFileTree - CVE-2023-3044 Divide-by-zero in Xpdf 4.04 due to very large page size - CVE-2023-3436 Deadlock in Xpdf 4.04 due to PDF object stream references Closes: https://bugs.gentoo.org/925519 Bug: https://bugs.gentoo.org/845027 Bug: https://bugs.gentoo.org/856475 Bug: https://bugs.gentoo.org/881351 Bug: https://bugs.gentoo.org/908037 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 4 + app-text/xpdf/files/xpdf-4.05-font-paths.patch | 46 +++++++ app-text/xpdf/xpdf-4.05.ebuild | 161 +++++++++++++++++++++++++ 3 files changed, 211 insertions(+)
Please note that all CVEs mentioned in this bug's alias are fixed in xpdf-4.05.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fe5f44a92c358b6196f8c599e9199edaa35a33ad commit fe5f44a92c358b6196f8c599e9199edaa35a33ad Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-25 06:29:34 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-25 06:29:45 +0000 [ GLSA 202409-25 ] Xpdf: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/845027 Bug: https://bugs.gentoo.org/908037 Bug: https://bugs.gentoo.org/936407 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-25.xml | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+)
