Ubuntu
xpdf package

[xpdf] multiple security vulnerabilities

Bug #160944 reported by disabled.user
256
Affects Status Importance Assigned to Milestone
Fedora
Fix Released
High
poppler (Debian)
Fix Released
Unknown
poppler (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
xpdf (Ubuntu)
Fix Released
Undecided
Stephan Rügamer

Bug Description

Binary package hint: xpdf

References:
http://secunia.com/secunia_research/2007-88/advisory/

"Severity
Rating: Highly critical
Impact: System access
Where: Remote

Secunia Research has discovered some vulnerabilities in Xpdf, which can
be exploited by malicious people to compromise a user's system."

xpdf is in universe, but perhaps there are some supported packages that are affected by these issues?

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Alin Rad Pop of the Secunia Research discovered a vulnerability in
xpdf/Stream.cc code:

An array indexing error exists within the "DCTStream::readProgressiveDataUnit()"
method in xpdf/Stream.cc. This can be exploited to corrupt memory via a
specially crafted PDF file.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Created attachment 238491
xpdf-3.02pl2 first draft from Derek B. Noonburg addressing CVE-2007-{4352,5392,5393}

Comments from Derek:

The fixes for the first two bugs (in DCTStream) are pretty
straightforward.

The CCITTFaxStream inner loop code has been rewritten (because I was
unhappy with the design, and it was resulting in too many problems).

Revision history for this message
In , Josh (josh-redhat-bugs) wrote :

This is now public:
http://marc.info/?l=full-disclosure&m=119445179723160&w=2

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

cups-1.3.4-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

KDE security advisory with official patches for kdegraphics and koffice:

http://www.kde.org/info/security/advisory-20071107-1.txt

Revision history for this message
Kees Cook (kees) wrote :

Thanks for this report! This is being worked on and will be released shortly.

Changed in poppler:
assignee: nobody → jamie-strandboge
status: New → In Progress
Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Official xpdf patch is available on xpdf upstream page:

http://www.foolabs.com/xpdf/download.html
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl2.patch

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

cups-1.2.12-7.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

  * SECURITY UPDATE:
    - CVE-2007-4352: Array index error in the DCTStream::readProgressiveDataUnit i
      method in xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows
      remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file.
    - CVE-2007-5392: Integer overflow in the DCTStream::reset method in xpdf/Stream.cc
      in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote attackers
      to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow.
    - CVE-2007-5393: Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc
      in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote attackers to execute arbitrary code via a PDF
      file that contains a crafted CCITTFaxDecode filter.
  * debian/patches/fix-CVE-2007-5393_2007-5392_2007-4352.dpatch: added patch by Nico Golde <email address hidden>
    to fix those issues (LP: #160944)
  * References:
    CVE-2007-4352
    CVE-2007-5392
    CVE-2007-5393
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=450629

Stephan Rügamer (sruegamer)
Changed in xpdf:
assignee: nobody → shermann
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in poppler:
status: In Progress → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Thanks for getting this ready. I've uploaded it to the security queue and it will be published shortly.

Changed in xpdf:
status: In Progress → Fix Committed
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

xpdf (3.02-1.2ubuntu1.1) gutsy-security; urgency=low

  * SECURITY UPDATE:
    - CVE-2007-4352: Array index error in the DCTStream::readProgressiveDataUnit i
      method in xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows
      remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file.
    - CVE-2007-5392: Integer overflow in the DCTStream::reset method in xpdf/Stream.cc
      in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote attackers
      to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow.
    - CVE-2007-5393: Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc
      in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote attackers to execute arbitrary code via a PDF
      file that contains a crafted CCITTFaxDecode filter.
  * debian/patches/fix-CVE-2007-5393_2007-5392_2007-4352.dpatch: added patch by Nico Golde <email address hidden>
    to fix those issues (LP: #160944)
  * References:
    CVE-2007-4352
    CVE-2007-5392
    CVE-2007-5393
    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=450629

 -- Stephan Hermann <email address hidden> Mon, 12 Nov 2007 13:17:09 +0100

Changed in xpdf:
status: Fix Committed → Fix Released
Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

poppler-0.5.4-8.fc7 has been submitted as an update for Fedora 7

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

poppler-0.5.4-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Red (red-redhat-bugs) wrote :

This issue was addressed in:

Red Hat Enterprise Linux:
  cups:
    http://rhn.redhat.com/errata/RHSA-2007-1021.html
    http://rhn.redhat.com/errata/RHSA-2007-1022.html
  gpdf:
    http://rhn.redhat.com/errata/RHSA-2007-1025.html
  poppler:
    http://rhn.redhat.com/errata/RHSA-2007-1026.html
  xpdf:
    http://rhn.redhat.com/errata/RHSA-2007-1029.html
    http://rhn.redhat.com/errata/RHSA-2007-1030.html
  tetex:
    http://rhn.redhat.com/errata/RHSA-2007-1027.html
  kdegraphics:
    http://rhn.redhat.com/errata/RHSA-2007-1024.html

Fedora:
  kdegraphics:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2985
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3001
  xpdf:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3031
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3014
  koffice:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3059
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3093
  cups:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3100
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-2982
  poppler:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1651
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4031
  tetex:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3390
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3308

Bug Watch Updater (bug-watch-updater)
Changed in poppler:
status: Unknown → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in fedora:
importance: Unknown → High
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.