Comment 1 John Helmert III 2022-09-16 15:31:56 UTC

CVE-2022-38334 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42314&p=43872):

XPDF v4.04 was discovered to contain a stack overflow via the function Catalog::countPageTree() at Catalog.cc.

Smells a lot like a duplicate, but very hard to tell with xpdf.

Comment 2 John Helmert III 2022-09-30 15:14:15 UTC

CVE-2022-41842 (http://www.xpdfreader.com/download.html):
https://forum.xpdfreader.com/viewtopic.php?f=1&t=42340&p=43928&hilit=gfseek#p43928

An issue was discovered in Xpdf 4.04. There is a crash in gfseek(_IO_FILE*, long, int) in goo/gfile.cc.

CVE-2022-41844 (http://www.xpdfreader.com/download.html):
https://forum.xpdfreader.com/viewtopic.php?f=1&t=42340&p=43928&hilit=gfseek#p43928
https://forum.xpdfreader.com/viewtopic.php?f=3&t=42308&p=43844&hilit=XRef%3A%3Afetch#p43844

An issue was discovered in Xpdf 4.04. There is a crash in XRef::fetch(int, int, Object*, int) in xpdf/XRef.cc, a different vulnerability than CVE-2018-16369 and CVE-2019-16088.

Most of these smell like duplicates, really.

"All three of those are loops in the PDF object structure. I'm working on a more robust loop detector for Xpdf 5."

Comment 3 John Helmert III 2022-11-16 17:11:26 UTC

CVE-2022-43071 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42349&p=43959#p43959):

A stack overflow in the Catalog::readPageLabelTree2(Object*) function of XPDF v4.04 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

CVE-2022-43295 (https://forum.xpdfreader.com/viewtopic.php?t=42360):

XPDF v4.04 was discovered to contain a stack overflow via the function FileStream::copy() at xpdf/Stream.cc:795.

As always, "I'm working on a more robust loop detector for Xpdf 5."

Comment 4 John Helmert III 2023-04-28 03:14:20 UTC

CVE-2022-27655 (https://launchpad.support.sap.com/#/notes/3143437):

When a user opens a manipulated Universal 3D (.u3d, 3difr.x3d) received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the application.

CVE-2022-45586 (https://forum.xpdfreader.com/viewtopic.php?t=42361):

Stack overflow vulnerability in function Dict::find in xpdf/Dict.cc in xpdf 4.04, allows local attackers to cause a denial of service.

CVE-2022-45587 (https://forum.xpdfreader.com/viewtopic.php?t=42361):

Stack overflow vulnerability in function gmalloc in goo/gmem.cc in xpdf 4.04, allows local attackers to cause a denial of service.

CVE-2021-36493 (https://forum.xpdfreader.com/viewtopic.php?f=3&t=42160):

Buffer Overflow vulnerability in pdfimages in xpdf 4.03 allows attackers to crash the application via crafted command.

As is tradition, "I'm working on a more robust loop detector for Xpdf 5."

Comment 5 John Helmert III 2023-05-11 04:09:31 UTC

CVE-2023-31554 (https://forum.xpdfreader.com/viewtopic.php?t=42421):

xpdf pdfimages v4.04 was discovered to contain a stack overflow in the component Catalog::readPageLabelTree2(Object*). This vulnerability allows attackers to cause a Denial of Service (DoS).

CVE-2023-31557 (https://forum.xpdfreader.com/viewtopic.php?t=42422&sid=acb8ed31bbd74223e3c4d0fb2552c748):

xpdf pdfimages v4.04 was discovered to contain a stack overflow in the component Catalog::readEmbeddedFileTree(Object*). This vulnerability allows attackers to cause a Denial of Service (DoS).

As usual, loop checker will be fixed in xpdf 5.

Comment 6 John Helmert III 2023-06-08 04:27:43 UTC

CVE-2023-2663 (https://forum.xpdfreader.com/viewtopic.php?t=42421):

 In Xpdf 4.04 (and earlier), a PDF object loop in the page label tree leads to infinite recursion and a stack overflow.




CVE-2023-2664 (https://forum.xpdfreader.com/viewtopic.php?t=42422):

 In Xpdf 4.04 (and earlier), a PDF object loop in the embedded file tree leads to infinite recursion and a stack overflow.

Comment 7 Larry the Git Cow 2024-07-20 21:12:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47a254308b64f4462a3cdcc7ce49655b41b7bdb5

commit 47a254308b64f4462a3cdcc7ce49655b41b7bdb5
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2024-07-20 21:04:06 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2024-07-20 21:12:13 +0000

    app-text/xpdf: add 4.05
    
    * Add qt6 support per bug 925519, use updated font-paths patch from
    Andrii Batyiev.
    
    * Update simplified Chinese and Korean language support packages.
    
    * Fix the following CVEs:
      - CVE-2018-7453 PDF object loop in AcroForm::scanField
      - CVE-2018-16369 PDF object loop in AcroForm::scanField
      - CVE-2019-9587 PDF object loop in Catalog::countPageTree
      - CVE-2019-9588 PDF object loop in Catalog::countPageTree
      - CVE-2019-16088 PDF object loop in Catalog::countPageTree
      - CVE-2022-30524 logic bug in text extractor led to invalid memory access
      - CVE-2022-30775 integer overflow in rasterizer
      - CVE-2022-33108 PDF object loop in Catalog::countPageTree
      - CVE-2022-36561 PDF object loop in AcroForm::scanField
      - CVE-2022-38222 logic bug in JBIG2 decoder
      - CVE-2022-38334 PDF object loop in Catalog::countPageTree
      - CVE-2022-38928 missing bounds check in CFF font converter caused null
                       pointer dereference
      - CVE-2022-41842 PDF object loop in Catalog::countPageTree
      - CVE-2022-41843 missing bounds check in CFF font parser caused invalid
                       memory access
      - CVE-2022-41844 PDF object loop in AcroForm::scanField
      - CVE-2022-43071 PDF object loop in Catalog::readPageLabelTree2
      - CVE-2022-43295 PDF object loop in Catalog::countPageTree
      - CVE-2022-45586 PDF object loop in Catalog::countPageTree
      - CVE-2022-45587 PDF object loop in Catalog::countPageTree
      - CVE-2023-2662 Divide-by-zero in Xpdf 4.04 due to bad color space object
      - CVE-2023-2663 PDF object loop in Catalog::readPageLabelTree2
      - CVE-2023-2664 PDF object loop in Catalog::readEmbeddedFileTree
      - CVE-2023-3044 Divide-by-zero in Xpdf 4.04 due to very large page size
      - CVE-2023-3436 Deadlock in Xpdf 4.04 due to PDF object stream references
    
    Closes: https://bugs.gentoo.org/925519
    Bug: https://bugs.gentoo.org/845027
    Bug: https://bugs.gentoo.org/856475
    Bug: https://bugs.gentoo.org/881351
    Bug: https://bugs.gentoo.org/908037
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 app-text/xpdf/Manifest                         |   4 +
 app-text/xpdf/files/xpdf-4.05-font-paths.patch |  46 +++++++
 app-text/xpdf/xpdf-4.05.ebuild                 | 161 +++++++++++++++++++++++++
 3 files changed, 211 insertions(+)

Comment 8 Hans de Graaff 2024-07-21 06:06:26 UTC

CVEs fixed in xpdf 4.05 have been moved over to bug 936407 so we can keep tracking the unfixed CVEs here.