CVE-2022-27135 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42232): xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc. An attacker can exploit this bug to cause a Denial of Service (Segmentation fault) or other unspecified effects by sending a crafted PDF file to the pdftoppm binary. https://forum.xpdfreader.com/viewtopic.php?f=3&t=42197 "Fixed in the next release".
I'm planning an update at the bigginning of May.
CVE-2022-30524 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42261): There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7de5ff2a819eb06c7cb3ae30728a82670f0462f6 commit 7de5ff2a819eb06c7cb3ae30728a82670f0462f6 Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2022-05-15 13:49:16 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2022-05-15 13:57:09 +0000 app-text/xpdf: Update to 4.04. This fixes numerous security issues. Bug: https://bugs.gentoo.org/840873 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 2 + app-text/xpdf/xpdf-4.04.ebuild | 149 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+)
Please stabilize when ready
Just to avoid confusion: This update fixes CVE-2022-27135, CVE-2022-24106, but not CVE-2022-30524. It also fixes other security issues, most likely without CVE: Added a missing bounds check on stream DecodeParms arrays. [Thanks to minipython for the bug report.] Fixed an integer overflow check in XRef::readXRefTable. [Thanks to yangshufan for the bug report.] <-- This is CVE-2022-27135 Added missing array length and type checks in Gfx::doForm(). [Thanks to shaohua for the bug report.] Fixed an integer overflow security hole in the JBIG2 decoder. Added an integer overflow check in JPXStream. (JPXStream issue) [Thanks to Shin Ando @ Ricera Security for the bug report.] The DCT (JPEG) decoder was allowing the 'interleaved' flag to be changed after the first scan of the image. (CVE-2022-24106) [Thanks to Shin Ando @ Ricera Security for the bug report.]
(In reply to Andrew Savchenko from comment #5) > Just to avoid confusion: > > This update fixes CVE-2022-27135, CVE-2022-24106, but not CVE-2022-30524. It > also fixes other security issues, most likely without CVE: > > Added a missing bounds check on stream DecodeParms arrays. [Thanks to > minipython for the bug report.] > Fixed an integer overflow check in XRef::readXRefTable. [Thanks to > yangshufan for the bug report.] <-- This is CVE-2022-27135 > Added missing array length and type checks in Gfx::doForm(). [Thanks > to shaohua for the bug report.] > Fixed an integer overflow security hole in the JBIG2 decoder. > Added an integer overflow check in JPXStream. (JPXStream issue) > [Thanks to Shin Ando @ Ricera Security for the bug report.] > The DCT (JPEG) decoder was allowing the 'interleaved' flag to be > changed after the first scan of the image. (CVE-2022-24106) [Thanks > to Shin Ando @ Ricera Security for the bug report.] Thanks, popping the unfixed CVE into another bug.
CVE-2021-27548 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42115): There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. Seems this is also fixed in 4.04 based on this forum post?
(In reply to John Helmert III from comment #7) > CVE-2021-27548 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42115): > > There is a Null Pointer Dereference vulnerability in the > XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. > > Seems this is also fixed in 4.04 based on this forum post? Yet, this issue is fixed in 4.04: Added a missing null check in the XFA form scanner. [Thanks to Taolaw for the bug report.]
xpdf-4.04 is ready for stabilization
Andrew, it was announced almost a year ago that stabilization no longer happens in security bugs: https://archives.gentoo.org/gentoo-dev-announce/message/66f1227144d451eac3c1f641771be557 Also, it's better to rely on nattka to CC arch aliases so that they are only brought in when a bug is really ready for them.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9acdf0acbed78a5c950374c190da2ccdfa640c5f commit 9acdf0acbed78a5c950374c190da2ccdfa640c5f Author: Andrew Savchenko <bircoph@gentoo.org> AuthorDate: 2022-07-26 10:38:55 +0000 Commit: Andrew Savchenko <bircoph@gentoo.org> CommitDate: 2022-07-26 15:00:10 +0000 app-text/xpdf: drop 4.03 Bug: https://bugs.gentoo.org/840873 Signed-off-by: Andrew Savchenko <bircoph@gentoo.org> app-text/xpdf/Manifest | 1 - app-text/xpdf/xpdf-4.03.ebuild | 146 ----------------------------------------- 2 files changed, 147 deletions(-)
CVE-2022-38171: Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readSymbolDictSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics). CVE-2022-24107: No idea! I only found it thanks to https://www.xpdfreader.com/security-fixes.html.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3d1d6faaf9bb5e88750cd68aae6ddfdecdcb2454 commit 3d1d6faaf9bb5e88750cd68aae6ddfdecdcb2454 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-07 04:34:27 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-07 04:35:42 +0000 [ GLSA 202405-18 ] Xpdf: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/755938 Bug: https://bugs.gentoo.org/840873 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-18.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)
