[Security] xpdf - CVE-2010-3702,3704

Bug #701220 reported by Brian Thomason
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xpdf (Ubuntu)
Fix Released
Medium
Unassigned
Karmic
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned
Maverick
Fix Released
Medium
Unassigned
Natty
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: xpdf

CVE-2010-3702:

The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler
0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and
possibly other products allows context-dependent attackers to cause a
denial of service (crash) via unknown vectors that trigger an uninitialized
pointer dereference.

CVE-2010-3704:

The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser in
xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to
0.15.1, kdegraphics, and possibly other products allows context-dependent
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a PDF file with a crafted Type1 font that contains a
negative array index, which bypasses input validation and which triggers
memory corruption.

Revision history for this message
Brian Thomason (brian-thomason) wrote :
Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 701220] [NEW] [Security] xpdf - CVE-2010-3702,3704

Note that despite the description, our kdegraphics packages aren't directly
affected as they use the system xpdf and not an embedded copy (like upstream
did).

visibility: private → public
Changed in xpdf (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

These are fixed in 3.02-12ubuntu1 in natty.

Changed in xpdf (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

ACK, though the changelog was missing an LP reference.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded to security PPA.

Changed in xpdf (Ubuntu Karmic):
status: New → Fix Committed
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Brian, thanks for the debdiffs! Lucid and maverick also seem to be affected. Are you planning uploads for them as well?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xpdf - 3.02-1.4ubuntu2.9.10.2

---------------
xpdf (3.02-1.4ubuntu2.9.10.2) karmic-security; urgency=low

  * SECURITY UPDATE: Gfx::getPos function allows context-dependent attackers to
    cause a denial of service (crash) via unknown vectors that trigger an
    uninitialized pointer dereference.
    - cve-2010-3702.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3702
    - LP: #701220
  * SECURITY UPDATE: FoFiType1::parse function allows context-dependent
    attackers to cause a denial of service (crash) and possibly execute
    arbitrary code via a PDF file with a crafted Type1 font that contains a
    negative array index, which bypasses input validation and which triggers
    memory corruption.
    - cve-2010-3704.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3704
 -- Brian Thomason <email address hidden> Mon, 10 Jan 2011 15:32:39 -0500

Changed in xpdf (Ubuntu Karmic):
status: Fix Committed → Fix Released
Revision history for this message
Brian Thomason (brian-thomason) wrote :
Revision history for this message
Brian Thomason (brian-thomason) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It would be nice if they didn't have the .dpatch extension now that quilt is used, but as Debian didn't update their patchset for that, I won't require here. Thanks for your work on this!

ACK to lucid and maverick patches.

Changed in xpdf (Ubuntu Lucid):
status: New → Confirmed
importance: Undecided → Medium
Changed in xpdf (Ubuntu Maverick):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded both lucid and maverick to the security PPA.

Changed in xpdf (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in xpdf (Ubuntu Maverick):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xpdf - 3.02-9ubuntu1.1

---------------
xpdf (3.02-9ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: Gfx::getPos function allows context-dependent attackers to
    cause a denial of service (crash) via unknown vectors that trigger an
    uninitialized pointer dereference. (LP: #701220)
    - cve-2010-3702.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3702
  * SECURITY UPDATE: FoFiType1::parse function allows context-dependent
    attackers to cause a denial of service (crash) and possibly execute
    arbitrary code via a PDF file with a crafted Type1 font that contains a
    negative array index, which bypasses input validation and which triggers
    memory corruption. (LP: #701220)
    - cve-2010-3704.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3704
 -- Brian Thomason <email address hidden> Thu, 20 Jan 2011 17:05:14 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xpdf - 3.02-2ubuntu1.1

---------------
xpdf (3.02-2ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: Gfx::getPos function allows context-dependent attackers to
    cause a denial of service (crash) via unknown vectors that trigger an
    uninitialized pointer dereference. (LP: #701220)
    - cve-2010-3702.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3702
  * SECURITY UPDATE: FoFiType1::parse function allows context-dependent
    attackers to cause a denial of service (crash) and possibly execute
    arbitrary code via a PDF file with a crafted Type1 font that contains a
    negative array index, which bypasses input validation and which triggers
    memory corruption. (LP: #701220)
    - cve-2010-3704.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3704
 -- Brian Thomason <email address hidden> Thu, 20 Jan 2011 16:49:30 -0500

Changed in xpdf (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in xpdf (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers