-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages xpdf-reader depends on:
ii gsfonts 8.14+v8.11+urw-0.2 Fonts for the Ghostscript interpre
ii lesstif2 1:0.93.94-11.4 OSF/Motif 2.1 implementation relea
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.4 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-13 GCC support library
ii libice6 4.3.0.dfsg.1-14sarge1 Inter-Client Exchange library
ii libpaper1 1.1.14-3 Library for handling paper charact
ii libsm6 4.3.0.dfsg.1-14sarge1 X Window System Session Management
ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library - r
ii libx11-6 4.3.0.dfsg.1-14sarge1 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-14sarge1 X Window System miscellaneous exte
ii libxp6 4.3.0.dfsg.1-14sarge1 X Window System printing extension
ii libxpm4 4.3.0.dfsg.1-14sarge1 X pixmap library
ii libxt6 4.3.0.dfsg.1-14sarge1 X Toolkit Intrinsics
ii xlibs 4.3.0.dfsg.1-14sarge1 X Keyboard Extension (XKB) configu
ii xpdf-common 3.00-13 Portable Document Format (PDF) sui
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
Message-Id: <email address hidden>
Date: Wed, 07 Dec 2005 06:42:55 +1100
From: Paul Szabo <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: xpdf-reader: security issues by iDefense
Package: xpdf-reader
Version: 3.00-13
Severity: critical
Justification: causes serious data loss
Arbitrary code execution (with privileges as user of package) issues
reported by iDefense:
Multiple Vendor xpdf DCTStream Baseline Heap Overflow Vulnerability
Multiple Vendor xpdf DCTStream Progressive Heap Overflow
Multiple Vendor xpdf StreamPredictor Heap Overflow Vulnerability
Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability
http:// www.idefense. com/application /poi/display? id=342 www.idefense. com/application /poi/display? id=343 www.idefense. com/application /poi/display? id=344 www.idefense. com/application /poi/display? id=345
http://
http://
http://
(Debian, both woody and sarge, is specifically mentioned as vulnerable.) lists.grok. org.uk/ pipermail/ full-disclosure /2005-December/ www.securityfoc us.com/ archive/ 1
Reported also on public mailing lists, see
http://
http://
Upstream/vendor patches are apparently available.
Cheers,
Paul Szabo <email address hidden> http:// www.maths. usyd.edu. au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information: ANSI_X3. 4-1968)
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.5
Locale: LANG=C, LC_CTYPE=C (charmap=
Versions of packages xpdf-reader depends on: 1-14sarge1 Inter-Client Exchange library 1-14sarge1 X Window System Session Management 1-14sarge1 X Window System protocol client li 1-14sarge1 X Window System miscellaneous exte 1-14sarge1 X Window System printing extension 1-14sarge1 X pixmap library 1-14sarge1 X Toolkit Intrinsics 1-14sarge1 X Keyboard Extension (XKB) configu
ii gsfonts 8.14+v8.11+urw-0.2 Fonts for the Ghostscript interpre
ii lesstif2 1:0.93.94-11.4 OSF/Motif 2.1 implementation relea
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.4 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-13 GCC support library
ii libice6 4.3.0.dfsg.
ii libpaper1 1.1.14-3 Library for handling paper charact
ii libsm6 4.3.0.dfsg.
ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library - r
ii libx11-6 4.3.0.dfsg.
ii libxext6 4.3.0.dfsg.
ii libxp6 4.3.0.dfsg.
ii libxpm4 4.3.0.dfsg.
ii libxt6 4.3.0.dfsg.
ii xlibs 4.3.0.dfsg.
ii xpdf-common 3.00-13 Portable Document Format (PDF) sui
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- no debconf information