xpdf: CVE-2007-0104 rogue Pages setting or catalog dictionary security hole

Debian Bug report logs - #406852
xpdf: CVE-2007-0104 rogue Pages setting or catalog dictionary security hole

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: dwkenned@comcast.net (David Kennedy)

To: submit@bugs.debian.org

Subject: xpdf: CVE-2007-0104 rogue Pages setting or catalog dictionary security hole

Date: Sun, 14 Jan 2007 15:58:13 +0000

Subject: xpdf: CVE-2007-0104 rogue Pages setting or catalog dictionary security hole
Package: xpdf-reader
Version: 3.01-9
Severity: normal
Tags: security


Hello,

I noticed this security advisory about xpdf v3.0.1 (patch 2) and 
probably greater versions.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0104
http://projects.info-pull.com/moab/MOAB-06-01-2007.html

Here is an excerpt:

"The current specification is affected by a design flaw: a rogue Pages 
setting or malicious catalog dictionary will lead to unexpected 
conditions. This is apparently not contemplated, and it's assumed that 
the PDF will contain valid references to it's page tree node and other 
objects. Thus, when an invalid page tree node or object is referenced, 
the application behavior is undefined. Potential conditions include, but 
aren't limited to: memory corruption (dereferencing invalid pointers, 
stack overflow/recursion, heap-based overflow), memory leaks and denial 
of service (ex. infinite loop on page tree parsing)."

Note that this vulnerability affects other programs based on the xpdf 
source.

"Note: Affects software based on it's source as well (gv, kpdf, poppler, 
etc)."

David

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-rc3-l4
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages xpdf depends on:
ii  xpdf-common                   3.01-9     Portable Document Format (PDF) sui
ii  xpdf-reader                   3.01-9     Portable Document Format (PDF) sui
ii  xpdf-utils                    3.01-9     Portable Document Format (PDF) sui

xpdf recommends no packages.

Versions of packages xpdf-reader depends on:
ii  gsfonts       1:8.11+urwcyr1.0.7~pre41-1 Fonts for the Ghostscript interpre
ii  lesstif2      1:0.94.4-2                 OSF/Motif 2.1 implementation relea
ii  libc6         2.3.6.ds1-10               GNU C Library: Shared libraries
ii  libfreetype6  2.2.1-5                    FreeType 2 font engine, shared lib
ii  libgcc1       1:4.1.1-21                 GCC support library
ii  libice6       1:1.0.1-2                  X11 Inter-Client Exchange library
ii  libpaper1     1.1.21                     Library for handling paper charact
ii  libsm6        1:1.0.1-3                  X11 Session Management library
ii  libstdc++6    4.1.1-21                   The GNU Standard C++ Library v3
ii  libt1-5       5.1.0-2                    Type 1 font rasterizer library - r
ii  libx11-6      2:1.0.3-4                  X11 client-side library
ii  libxext6      1:1.0.1-2                  X11 miscellaneous extension librar
ii  libxp6        1:1.0.0.xsf1-1             X Printing Extension (Xprint) clie
ii  libxpm4       1:3.5.5-2                  X11 pixmap library
ii  libxt6        1:1.0.2-2                  X11 toolkit intrinsics library
ii  xpdf-common   3.01-9                     Portable Document Format (PDF) sui
ii  zlib1g        1:1.2.3-13                 compression library - runtime

-- no debconf information

Message #10 received at 406852@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>

To: 406852@bugs.debian.org

Subject: patch from koffice

Date: Wed, 24 Jan 2007 17:39:30 -0800

[Message part 1 (text/plain, inline)]

Tags: patch

Attached is a patch made by the koffice folks.  I've applied this to 
Ubuntu's xpdf.

-- 
Kees Cook                                            @outflux.net

[90_CVE-2007-0104.dpatch (text/plain, attachment)]

Message #15 received at 406852@bugs.debian.org (full text, mbox, reply):

From: Osamu Aoki <osamu@debian.org>

To: 406852@bugs.debian.org

Cc: Rogério Brito <rbrito@ime.usp.br>

Subject: xpdf --uploaded

Date: Sun, 18 Jul 2010 03:54:01 +0900

Hi,

I have uploaded package and closed required bugs.  (With little trouble
...)

I think the following bug does not affect us any more since we use
poppler in this version.

          http://bugs.debian.org/406852

Please confirm and close this bug with control@bugs.debian.org

fixed 406852 3.02-9

Osamu

Message #26 received at 406852-done@bugs.debian.org (full text, mbox, reply):

From: Osamu Aoki <osamu@debian.org>

To: 406852-done@bugs.debian.org

Cc: control@bugs.debian.org

Subject: The buggy code is not build ?

Date: Sun, 18 Jul 2010 15:27:33 +0900

reassign 406852 xpdf
fixed 406852 3.02-9
thanks

It looks like we are not building buggy code since we use poppler as
library afer 3.02-9.  If I am mistaken, please reopen this.

$ debian/rules prepare
mkdir -p build
cp goo/parseargs.* xpdf/CoreOutputDev.* xpdf/GlobalParams.* build
cp xpdf/PDFCore.* xpdf/XPDFApp.* xpdf/XPDFCore.* xpdf/XPDFTree.* build
cp xpdf/XPDFTreeP.h xpdf/XPDFViewer.* xpdf/xpdf.cc build
# perform extensive goo rename (as required by poppler)
sed -i s/GString/GooString/g build/*
sed -i s/GMutex/GooMutex/g build/*
sed -i s/GHash/GooHash/g build/*
sed -i s/GList/GooList/g build/*
sed -i s/\<aconf\.h\>/\<poppler-config\.h\>/g build/*
cp xpdf/config.h xpdf/about-text.h xpdf/*.xbm xpdf/xpdfIcon.xpm build

Patch is against non-used portion.

diff -urNad xpdf-3.01~/xpdf/Catalog.cc xpdf-3.01/xpdf/Catalog.cc
--- xpdf-3.01~/xpdf/Catalog.cc  2005-08-16 22:34:31.000000000 -0700
+++ xpdf-3.01/xpdf/Catalog.cc   2007-01-24 17:03:21.143417464 -0800

Osamu

Send a report that this bug log contains spam.