CVE-2019-9878 (https://nvd.nist.gov/vuln/detail/CVE-2019-9878): There is an invalid memory access in the function GfxIndexedColorSpace::mapColorToBase() located in GfxState.cc in Xpdf 4.0.0, as used in pdfalto 0.2. It can be triggered by (for example) sending a crafted pdf file to the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. CVE-2019-9877 (https://nvd.nist.gov/vuln/detail/CVE-2019-9877): There is an invalid memory access vulnerability in the function TextPage::findGaps() located at TextOutputDev.c in Xpdf 4.01, which can (for example) be triggered by sending a crafted pdf file to the pdftops binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Hi, judging from the changelog and thesource diff these bugs are fixed in xpdf-4.02 which is now in the tree.
Can't find any source stating that CVE-2019-9878 was fixed. Only CVE-2019-9877 is listed on https://www.xpdfreader.com/security-fixes.html.
(In reply to Thomas Deutschmann from comment #2) > Can't find any source stating that CVE-2019-9878 was fixed. Only > CVE-2019-9877 is listed on https://www.xpdfreader.com/security-fixes.html. There was a significant GfxState.cc rewrite between 4.00 and 4.02. It is unclear whether it fixes bug or not since this bug manifests itself only in third-party project based on xpdf.
(In reply to Andrew Savchenko from comment #3) > (In reply to Thomas Deutschmann from comment #2) > > Can't find any source stating that CVE-2019-9878 was fixed. Only > > CVE-2019-9877 is listed on https://www.xpdfreader.com/security-fixes.html. > > There was a significant GfxState.cc rewrite between 4.00 and 4.02. It is > unclear whether it fixes bug or not since this bug manifests itself only in > third-party project based on xpdf. I tested xpdf-4.02 and all its utils with provided proof-of-concept file: https://github.com/SegfaultMasters/covering360/blob/master/pdfalto/NP_01_POC?raw=true All of them complain a lot about broken file, but work fine otherwise without crashes. I'm not sure this CVE was originally correct since bug occurs in third party project using xpdf code in unsupported way (xpdf is not a library).
> I'm not sure this CVE was originally correct since bug occurs in third party > project using xpdf code in unsupported way (xpdf is not a library). So are you saying it is fixed in 4.02-r2?
I'm saying that: 1) I'm not sure if this CVE is valid for the xpdf upstream in the first place. 2) Even if it is, it may be fixed already. I asked upstream for clarification: https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968
(In reply to Andrew Savchenko from comment #6) > I'm saying that: > > 1) I'm not sure if this CVE is valid for the xpdf upstream in the first > place. > 2) Even if it is, it may be fixed already. > > I asked upstream for clarification: > https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968 Upstream says that CVE-2019-9878 is a duplicate of CVE-2018-18455, which was fixed in Xpdf 4.01: https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968#p42895 Security team, please close this bug.
(In reply to Andrew Savchenko from comment #7) > (In reply to Andrew Savchenko from comment #6) > > I'm saying that: > > > > 1) I'm not sure if this CVE is valid for the xpdf upstream in the first > > place. > > 2) Even if it is, it may be fixed already. > > > > I asked upstream for clarification: > > https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968 > > Upstream says that CVE-2019-9878 is a duplicate of CVE-2018-18455, which was > fixed in Xpdf 4.01: > https://forum.xpdfreader.com/viewtopic.php?f=1&t=41968#p42895 > > Security team, please close this bug. Thanks for the investigation.
CVE-2019-16115 (https://nvd.nist.gov/vuln/detail/CVE-2019-16115): In Xpdf 4.01.01, a stack-based buffer under-read could be triggered in IdentityFunction::transform in Function.cc, used by GfxAxialShading::getColor. It can, for example, be triggered by sending a crafted PDF document to the pdftoppm tool. It allows an attacker to use a crafted PDF file to cause Denial of Service or possibly unspecified other impact. CVE-2019-16088 (https://nvd.nist.gov/vuln/detail/CVE-2019-16088): Xpdf 3.04 has a SIGSEGV in XRef::fetch in XRef.cc after many recursive calls to Catalog::countPageTree in Catalog.cc. CVE-2019-15860 (https://nvd.nist.gov/vuln/detail/CVE-2019-15860): Xpdf 2.00 allows a SIGSEGV in XRef::constructXRef in XRef.cc. NOTE: 2.00 is a version from November 2002. CVE-2019-14294 (https://nvd.nist.gov/vuln/detail/CVE-2019-14294): An issue was discovered in Xpdf 4.01.01. There is a use-after-free in the function JPXStream::fillReadBuf at JPXStream.cc, due to an out of bounds read.
CVE-2019-14293 (https://nvd.nist.gov/vuln/detail/CVE-2019-14293): An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in the function GfxPatchMeshShading::parse at GfxState.cc for typeA!=6 case 2. CVE-2019-14292 (https://nvd.nist.gov/vuln/detail/CVE-2019-14292): An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in the function GfxPatchMeshShading::parse at GfxState.cc for typeA!=6 case 1. CVE-2019-14291 (https://nvd.nist.gov/vuln/detail/CVE-2019-14291): An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in the function GfxPatchMeshShading::parse at GfxState.cc for typeA==6 case 3. CVE-2019-14290 (https://nvd.nist.gov/vuln/detail/CVE-2019-14290): An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in the function GfxPatchMeshShading::parse at GfxState.cc for typeA==6 case 2.
CVE-2019-14289 (https://nvd.nist.gov/vuln/detail/CVE-2019-14289): An issue was discovered in Xpdf 4.01.01. There is an integer overflow in the function JBIG2Bitmap::combine at JBIG2Stream.cc for the "multiple bytes per line" case. CVE-2019-14288 (https://nvd.nist.gov/vuln/detail/CVE-2019-14288): An issue was discovered in Xpdf 4.01.01. There is an Integer overflow in the function JBIG2Bitmap::combine at JBIG2Stream.cc for the "one byte per line" case.
@maintainer: no further action needed, thank you. Let's call this fixed in 4.0.2. There are *far* too many CVEs here, some with duplicate fixes, and so on. Not all have been referenced in changelogs either. It looks like we're done as of the latest version.