Debian Bug report logs - #342281
xpdf-reader: security issues by iDefense

version graph

Package: xpdf-reader; Maintainer for xpdf-reader is Michael Gilbert <michael.s.gilbert@gmail.com>;

Reported by: Paul Szabo <psz@maths.usyd.edu.au>

Date: Tue, 6 Dec 2005 19:48:06 UTC

Severity: grave

Tags: fixed, patch, security

Merged with 342337

Found in versions xpdf-reader/1.00-3.4, xpdf-reader/3.00-13, xpdf-reader/3.01-2

Fixed in versions 3.01-3, xpdf-reader/3.01-3

Done: Hamish Moffatt <hamish@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Hamish Moffatt <hamish@debian.org>:
Bug#342281; Package xpdf-reader. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Hamish Moffatt <hamish@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xpdf-reader: security issues by iDefense
Date: Wed, 07 Dec 2005 06:42:55 +1100
Package: xpdf-reader
Version: 3.00-13
Severity: critical
Justification: causes serious data loss



Arbitrary code execution (with privileges as user of package) issues
reported by iDefense:

  Multiple Vendor xpdf DCTStream Baseline Heap Overflow Vulnerability
  Multiple Vendor xpdf DCTStream Progressive Heap Overflow
  Multiple Vendor xpdf StreamPredictor Heap Overflow Vulnerability
  Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability

  http://www.idefense.com/application/poi/display?id=342
  http://www.idefense.com/application/poi/display?id=343
  http://www.idefense.com/application/poi/display?id=344
  http://www.idefense.com/application/poi/display?id=345

(Debian, both woody and sarge, is specifically mentioned as vulnerable.)
Reported also on public mailing lists, see
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/
http://www.securityfocus.com/archive/1

Upstream/vendor patches are apparently available.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages xpdf-reader depends on:
ii  gsfonts            8.14+v8.11+urw-0.2    Fonts for the Ghostscript interpre
ii  lesstif2           1:0.93.94-11.4        OSF/Motif 2.1 implementation relea
ii  libc6              2.3.2.ds1-22          GNU C Library: Shared libraries an
ii  libfreetype6       2.1.7-2.4             FreeType 2 font engine, shared lib
ii  libgcc1            1:3.4.3-13            GCC support library
ii  libice6            4.3.0.dfsg.1-14sarge1 Inter-Client Exchange library
ii  libpaper1          1.1.14-3              Library for handling paper charact
ii  libsm6             4.3.0.dfsg.1-14sarge1 X Window System Session Management
ii  libstdc++5         1:3.3.5-13            The GNU Standard C++ Library v3
ii  libt1-5            5.0.2-3               Type 1 font rasterizer library - r
ii  libx11-6           4.3.0.dfsg.1-14sarge1 X Window System protocol client li
ii  libxext6           4.3.0.dfsg.1-14sarge1 X Window System miscellaneous exte
ii  libxp6             4.3.0.dfsg.1-14sarge1 X Window System printing extension
ii  libxpm4            4.3.0.dfsg.1-14sarge1 X pixmap library
ii  libxt6             4.3.0.dfsg.1-14sarge1 X Toolkit Intrinsics
ii  xlibs              4.3.0.dfsg.1-14sarge1 X Keyboard Extension (XKB) configu
ii  xpdf-common        3.00-13               Portable Document Format (PDF) sui
ii  zlib1g             1:1.2.2-4.sarge.2     compression library - runtime

-- no debconf information



Severity set to `grave'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Hamish Moffatt <hamish@debian.org>:
Bug#342281; Package xpdf-reader. Full text and rfc822 format available.

Acknowledgement sent to Daniel Leidert <daniel.leidert.spam@gmx.net>:
Extra info received and forwarded to list. Copy sent to Hamish Moffatt <hamish@debian.org>. Full text and rfc822 format available.

Message #12 received at 342281@bugs.debian.org (full text, mbox):

From: Daniel Leidert <daniel.leidert.spam@gmx.net>
To: control@bugs.debian.org, 342281@bugs.debian.org
Subject: gpdf, kpdf and poppler could be affected too
Date: Tue, 06 Dec 2005 21:58:32 +0100
clone 342281 -1 -2 -3
reassign -1 gpdf
retitle -1 gpdf: source taken from xpdf may introduce heap-overflow vulnerabilities
reassign -2 kpdf
retitle -2 kpdf: source taken from xpdf may introduce heap-overflow vulnerabilities
reassign -3 libpoppler0c2
retitle -3 libpoppler0c2: source taken from xpdf may introduce heap-overflow vulnerabilities
stop

Following the news at heise.de
(http://www.heise.de/security/news/meldung/67056) the packages kpdf,
gpdf and the poppler library could be or are affected too. Please test,
if this is true.

Regards, Daniel




Bug 342281 cloned as bugs 342286, 342287, 342288. Request was from Daniel Leidert <daniel.leidert.spam@gmx.net> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1.00-3.4. Request was from Hamish Moffatt <hamish@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 3.01-2. Request was from Hamish Moffatt <hamish@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Hamish Moffatt <hamish@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 342281-done@bugs.debian.org (full text, mbox):

From: Hamish Moffatt <hamish@debian.org>
To: 342281-done@bugs.debian.org
Subject: [owner@bugs.debian.org: Bug#322462: marked as done (CAN-2005-2097: DoS through PDFs with crafted loca tables)]
Date: Wed, 7 Dec 2005 11:18:48 +1100
Version: 3.01-3

Fixed for unstable/etch. However I closed the wrong bug report in the
changelog :(

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  6 Dec 2005 23:05:10 +0000
Source: xpdf
Binary: xpdf-utils xpdf xpdf-reader xpdf-common
Architecture: source i386 all
Version: 3.01-3
Distribution: unstable
Urgency: high
Maintainer: Hamish Moffatt <hamish@debian.org>
Changed-By: Hamish Moffatt <hamish@debian.org>
Description: 
 xpdf       - Portable Document Format (PDF) suite
 xpdf-common - Portable Document Format (PDF) suite -- common files
 xpdf-reader - Portable Document Format (PDF) suite -- viewer for X11
 xpdf-utils - Portable Document Format (PDF) suite -- utilities
Closes: 322462
Changes: 
 xpdf (3.01-3) unstable; urgency=high
 .
   * SECURITY UPDATE: fix several potential buffer overflows:
     DCTStream Baseline Heap Overflow, DCTStream Progressive Heap Overflow,
     StreamPredictor Heap Overflow, JPX Stream Reader Heap Overflow
     (closes: #322462) (21_security.dpatch)
   * References: CAN-2005-3193
Files: 
 8ef3747a62e6fadd7ca4c928b8848b59 954 text optional xpdf_3.01-3.dsc
 ca23e3dc4aaed5e61a2a810a74d6e9b4 29839 text optional xpdf_3.01-3.diff.gz
 6fe6881f9846605455a8ebb32e31d161 1276 text optional xpdf_3.01-3_all.deb
 b56534744ea8062c3cfc3d36e635fb21 60048 text optional xpdf-common_3.01-3_all.deb
 ab2d9d05aec8a44d84e7e7f47845c70f 760040 text optional xpdf-reader_3.01-3_i386.deb
 ae35ce4c0a4d73d4213f204a4169977b 1385722 text optional xpdf-utils_3.01-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQCVAwUBQ5YaZNiYIdPvprnVAQIVlQP6AisFzXJuFRhhxFfi3J4fpfVH/PhXWpWm
t9AbVv3kFiwlIqiZIefFM5zOhPQMX+BVNrmZAgessL/pUrvcfOe2UKiyi3rb790J
5MdsLUYzVQpQeABjOOXXKKBo7bG6HeTetfHaIwBfI6LJgdX7p3ljtSgX9gBnwCsJ
li42PNczWG4=
=PA2v
-----END PGP SIGNATURE-----

-- 
Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>



Merged 342281 342337. Request was from Hamish Moffatt <hamish@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Hamish Moffatt <hamish@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 06:13:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 13:26:57 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.