196735 – app-text/poppler < 0.6.1-r1 Multiple issues in XPDF code (CVE-2007-{4352|5392|5393})

Secunia Research has discovered some vulnerabilities in Xpdf, which can
be exploited by malicious people to compromise a user's system.
1) An array indexing error exists within the
"DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc. This
can be exploited to corrupt memory via a specially crafted PDF file.
2) An integer overflow error exists within the "DCTStream::reset()"
method in xpdf/Stream.cc. This can be exploited to cause a heap-based
buffer overflow via a specially crafted PDF file.
Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
3) A boundary error exists within the "CCITTFaxStream::lookChar()"
method in xpdf/Stream.cc. This can be exploited to cause a heap-based
buffer overflow by tricking a user into opening a PDF file containing a
specially crafted "CCITTFaxDecode" filter.
Successful exploitation allows execution of arbitrary code.
The vulnerabilities are confirmed in Xpdf 3.02. Other versions may also
be affected.
Vulnerability Details:
----------------------
1) The vulnerability is caused by missing checks when indexing the
"dctZigZag" array in xpdf/Stream.cc at lines 2405, 2429, 2454, 2476 and
2484. 
2) The vulnerability is present in xpdf/Stream.cc at line 1967.
3) The vulnerability can be triggered when filling the "codingLine"
array in xpdf/Stream.cc at lines 1373, 1375, 1379, 1381, 1480 or 1489.
This is triggered when the sum of all black and white codes is smaller
than the "/Columns" parameter in "/DecodeParms" (e.g. "getWhiteCode()"
constantly returns 0 and "getBlackCode()" constantly returns 1). 
Closing comments:
-----------------
We have assigned these vulnerabilities Secunia advisory SA27260 and the
following CVE identifiers:
1) CVE-2007-4352
2) CVE-2007-5392
3) CVE-2007-5393
Upstream contacted.
Disclosure date: As soon as the vendor releases a patch, or 2007年10月31日.
 Note that this may be changed if the vendor requests it.
Credits:
Alin Rad Pop, Secunia Research.

Created attachment 134985 [details, diff]
poppler-0.6.1-xpdf-3.02pl2.patch
Patch provided by Derek B. Noonburg, recreated to apply to poppler 0.6.1.

Hi Stefan, if you want stable testing before the disclosure date please attach
updated ebuilds to this bug. Do not commit anything yet.

Adding Timo as part of printing in case he wants to test this. Still, please do not commit anything.

Created attachment 135418 [details, diff]
xpdf-3.02pl2.patch
The original xpdf patch against 3.02pl1.

Adding Alexis for tex.

This one is public now. Do we have a list of affected packages?

From our embedded-copies list:
== XPDF ==
* app-text/poppler
* app-text/tetex
* app-text/cstetex
* app-text/ptex
* app-office/kword
* app-office/koffice
* kde-base/kpdf
* kde-base/kdegraphics
False positives:
* media-libs/libextractor: Since 0.5.12 libextractor is shipping its own PDF support
 and at least in 0.5.15 it is also enabled by default.
* net-print/cups: Uses poppler
* app-text/xpdf: Uses poppler
* gnustep-libs/pdfkit: removed
* gnustep-libs/imagekits: removed
* okular (kpdf in kde 4): Uses poppler

teTex is being handled in bug 198238.

fixed in:
- texlive-core-2007-r6
- tetex-3.0_p1-r5
for ptex, better ping cjk
for cstetex, I dont know, I've mailed the person who was helping us maintaining it to know it status, if no answer I'll last rite it.

The bugs blocking this one handle this issue in the packages mentioned in comment 7.
printing, any progress on poppler?

Fixed in poppler-0.6.1-r1, applies your attached patch.

Thanks, Timo.
Arches, please test and mark stable app-text/poppler-0.6.1-r1.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Please do not mind the bugs blocking this one.

Don't forget app-text/poppler-bindings-0.6.1

x86 stable

Sparc stable for app-text/poppler-0.6.1-r1 and app-text/poppler-bindings-0.6.1.

ppc64 stable

Don't forget app-text/evince-2.20.1, because older versions break with the new poppler.

*** Bug 198616 has been marked as a duplicate of this bug. ***

ppc64 stable:
app-text/poppler-0.6.1-r1
app-text/poppler-bindings-0.6.1
app-text/evince-2.20.1

evince done for x86

Sparc done for evince-2.20.1

*** Bug 198706 has been marked as a duplicate of this bug. ***

amd64 done.

alpha/ia64 stable

Stable for HPPA.

Oh, I didn't do evince yet.

Evince stable for HPPA too.

ppc stable - and from what i've heard the glsa is coming soon ...

app-text/poppler-0.6.1-r1
app-text/poppler-bindings-0.6.1
app-text/evince-2.20.1
app-text/xpdf-3.02
The new one is xpdf here, because 3.01 gets broken with this new xpdf.

Arches, please test and mark stable app-text/xpdf-3.02.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86"
Already stabled : "x86"
Missing keywords: "alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc"

Sparc stable for app-text/xpdf-3.02.

xpdf stable for ppc

Stable for HPPA.

ppc64 stable

amd64 stable for xpdf-3.02, shouldn't 176081 be marked as duplicate of this? confusing.

(In reply to comment #35)
> amd64 stable for xpdf-3.02, shouldn't 176081 be marked as duplicate of this?
> confusing.
Sorry, I accidently did not remove arches from that bug. I'll leave it up to the assignee to close.

alpha/ia64 stable

back to [glsa]

GLSA 200711-22

Does not affect current (2008.0) release. Removing release.