Ubuntu
xpdf package

vulnerable to CAN-2005-0064

Bug #12059 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
xpdf (Debian)
Fix Released
Unknown
xpdf (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Automatically imported from Debian bug report #291266 http://bugs.debian.org/291266

See original description

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #291266 http://bugs.debian.org/291266

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (3.6 KiB)

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 13:55:06 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: vulnerable to CAN-2005-0064

--EuxKj2iCbKjpUGkD
Content-Type: multipart/mixed; boundary="vtzGhvizbBRQ85DL"
Content-Disposition: inline

--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: xpdf-reader
Version: 3.00-11
Severity: grave
Tags: patch security

xpdf is vulnerable to a buffer overflow that can be exploited by
malicious pdfs to execute arbitrary code. The hole is described here:
http://www.idefense.com/application/poi/display?id=3D186&type=3Dvulnerabili=
ties&flashstatus=3Dfalse

I've attached a patch that adds bounds checking to close the hole.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)

Versions of packages xpdf depends on:
ii xpdf-common 3.00-11 Portable Document Format (PDF)=
 sui
ii xpdf-reader 3.00-11 Portable Document Format (PDF)=
 sui
ii xpdf-utils 3.00-11 Portable Document Format (PDF)=
 sui

Versions of packages xpdf-reader depends on:
ii gsfonts 8.14+v8.11-0.1 Fonts for the Ghostscript inte=
rpre
ii lesstif2 1:0.93.94-11 OSF/Motif 2.1 implementation r=
elea
ii libc6 2.3.2.ds1-20 GNU C Library: Shared librarie=
s an
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared=
 lib
ii libgcc1 1:3.4.3-7 GCC support library
ii libice6 4.3.0.dfsg.1-10 Inter-Client Exchange library
ii libpaper1 1.1.14-3 Library for handling paper cha=
ract
ii libsm6 4.3.0.dfsg.1-10 X Window System Session Manage=
ment
ii libstdc++5 1:3.3.5-6 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library=
 - r
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol clien=
t li
ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous =
exte
ii libxp6 4.3.0.dfsg.1-10 X Window System printing exten=
sion
ii libxpm4 4.3.0.dfsg.1-10 X pixmap library
ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) con=
figu
ii xpdf-common 3.00-11 Portable Document Format (PDF)=
 sui
ii zlib1g 1:1.2.2-4 compression library - runtime

-- no debconf information

--=20
see shy jo

--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="xpdf-3.00pl3.patch"

*** XRef.cc.orig Wed Jan 12 17:10:53 2005
--- XRef.cc Wed Jan 12 17:11:22 2005
***************
*** 793,798 ****
--- 793,801 ----
   } else {
     keyLength = 5;
   }
+ if (keyLength > 16) {
+ keyLength = 16;
+ }
   permFlags = permis...

Read more...

Revision history for this message
In , Martin Schulze (joey-infodrom) wrote : Re: Bug#291266: vulnerable to CAN-2005-0064

Joey Hess wrote:
> xpdf is vulnerable to a buffer overflow that can be exploited by
> malicious pdfs to execute arbitrary code. The hole is described here:
> http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities&flashstatus=false
>
> I've attached a patch that adds bounds checking to close the hole.

For the unstable distribution (sid) this problem has been fixed in
version 3.00-12.

It's in Incoming already.

Just FYI.

Regards,

 Joey

--
Ten years and still binary compatible. -- XFree86

Please always Cc to me when replying to me on the lists.

Revision history for this message
In , Joey Hess (joeyh) wrote :

Martin Schulze wrote:
> Joey Hess wrote:
> > xpdf is vulnerable to a buffer overflow that can be exploited by
> > malicious pdfs to execute arbitrary code. The hole is described here:
> > http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities&flashstatus=false
> >
> > I've attached a patch that adds bounds checking to close the hole.
>
> For the unstable distribution (sid) this problem has been fixed in
> version 3.00-12.
>
> It's in Incoming already.
>
> Just FYI.
>
> Regards,
>
> Joey
>
> --
> Ten years and still binary compatible. -- XFree86
>
> Please always Cc to me when replying to me on the lists.
>
>
> --
> To UNSUBSCRIBE, email to <email address hidden>
> with a subject of "unsubscribe". Trouble? Contact <email address hidden>
>

--
see shy jo

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 21:16:27 +0100
From: Martin Schulze <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: Re: Bug#291266: vulnerable to CAN-2005-0064

Joey Hess wrote:
> xpdf is vulnerable to a buffer overflow that can be exploited by
> malicious pdfs to execute arbitrary code. The hole is described here:
> http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities&flashstatus=false
>
> I've attached a patch that adds bounds checking to close the hole.

For the unstable distribution (sid) this problem has been fixed in
version 3.00-12.

It's in Incoming already.

Just FYI.

Regards,

 Joey

--
Ten years and still binary compatible. -- XFree86

Please always Cc to me when replying to me on the lists.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 19 Jan 2005 15:55:43 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: Re: Bug#291266: vulnerable to CAN-2005-0064

--MGYHOYXEY6WxJCY8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Martin Schulze wrote:
> Joey Hess wrote:
> > xpdf is vulnerable to a buffer overflow that can be exploited by
> > malicious pdfs to execute arbitrary code. The hole is described here:
> > http://www.idefense.com/application/poi/display?id=3D186&type=3Dvulnera=
 bilities&flashstatus=3Dfalse
> >=20
> > I've attached a patch that adds bounds checking to close the hole.
>=20
> For the unstable distribution (sid) this problem has been fixed in
> version 3.00-12.
>=20
> It's in Incoming already.
>=20
> Just FYI.
>=20
> Regards,
>=20
> Joey
>=20
> --=20
> Ten years and still binary compatible. -- XFree86
>=20
> Please always Cc to me when replying to me on the lists.
>=20
>=20
> --=20
> To UNSUBSCRIBE, email to <email address hidden>
> with a subject of "unsubscribe". Trouble? Contact <email address hidden>=
 =2Eorg
>=20

--=20
see shy jo

--MGYHOYXEY6WxJCY8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB7slPd8HHehbQuO8RAoj6AKDS/2/iDxSmsKUbKkG119qTDpqXzwCgp2Cn
ah4DrfgcYwlXQx+6UUesZ5w=
=Nxid
-----END PGP SIGNATURE-----

--MGYHOYXEY6WxJCY8--

Revision history for this message
Martin Pitt (pitti) wrote :

Already fixed in Warty and Hoary.

Bug Watch Updater (bug-watch-updater)
Changed in xpdf:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.