Ubuntu

[XPDF] possible buffer overflow and execution of arbitrary code

Reported by disabled.user on 2007-08-02
258
Affects Status Importance Assigned to Milestone
cups-pdf (Ubuntu)
Undecided
Unassigned
gpdf (Ubuntu)
Undecided
Unassigned
kdegraphics (Ubuntu)
Undecided
Unassigned
koffice (Ubuntu)
Undecided
Unassigned
poppler (Ubuntu)
High
Kees Cook
xpdf (Ubuntu)
Undecided
Unassigned

Bug Description

Affects:
xpdf, kpdf, kword, cups, gpdf, poppler

Quoting http://www.heise-security.co.uk/news/93637 :

"The KDE developers have published a security advisory concerning a vulnerability when processing crafted PDFs. Opening one of these files with XPDF, kpdf, KOffice or any other software which has adopted the source code from XPDF can cause a buffer overflow and execution of an arbitrary program code.

The bug stems from an integer overflow in the function StreamPredictor::StreamPredictor(). The developers have prepared source-code patches for the software versions affected. The bug is found in XPDF 3.02 and possibly the previous versions, KDE 3.2.0 up to and including 3.5.7 as well as KOffice 1.2.1 and later versions.

Other applications which use the faulty code from XPDF also contain the vulnerability. Red Hat has now also released software updates for CUPS, gpdf and poppler which close the hole. The other Linux distributors are also soon to release up-dated packages, which users should install as soon as they can."

References:
- kpdf/kword/xpdf stack based buffer overflow, security advisory from KDE developers:
http://www.kde.org/info/security/advisory-20070730-1.txt
- cups security update, bug report from Red Hat:
http://rhn.redhat.com/errata/RHSA-2007-0720.html
- gpdf security update, bug report from Red Hat:
http://rhn.redhat.com/errata/RHSA-2007-0730.html
- poppler security update, bug report from Red Hat:
http://rhn.redhat.com/errata/RHSA-2007-0732.html

CVE References

Martin Pitt (pitti) wrote :

KOffice update is being published right now (USN-496-1).

Changed in koffice:
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Doesn't affect cups-pdf.

Changed in cups-pdf:
status: New → Invalid
Martin Pitt (pitti) wrote :

gpdf does not even exist any more since feisty, and in dapper and edgy it's in universe,

Changed in gpdf:
status: New → Won't Fix
Martin Pitt (pitti) wrote :

Ubuntu's kdegraphics uses poppler.

Changed in kdegraphics:
status: New → Invalid
Changed in poppler:
importance: Undecided → High
status: New → Triaged
Martin Pitt (pitti) wrote :
Changed in koffice:
status: Fix Committed → Fix Released

Just out of curiosity; doesn't kpdf need to be fixed, or is it fixed via the poppler fix? I tried to file a bug report vs. kpdf, but since Launchpad didn't know kpdf as a package, I filed the report vs. kdegraphics. Also, I thought cups-pdf would've also been affected since Red Hat fixed their own CUPS package, which might not be as modularized as Debian's/Ubuntu's. Sorry for the "false" reports, but better save than sorry.

Jonathan Riddell (jr) wrote :

kpdf and cups use poppler in Ubuntu.

Thanks for the clarification. So I hope the fixed poppler packages will soon be available.

Kees Cook (kees) wrote :

Poppler update published with http://www.ubuntu.com/usn/usn-496-2

Changed in poppler:
assignee: nobody → keescook
status: Triaged → Fix Released
Changed in xpdf:
status: New → Confirmed
xtknight (xt-knight) wrote :

For Hardy, xpdf seemed to be fixed. The patch is incorporated in fix-CVE-2007-3387_CVE-2007-5049.dpatch.

William Grant (wgrant) on 2008-04-07
Changed in xpdf:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers