Debian Bug report logs -
#406852
xpdf: CVE-2007-0104 rogue Pages setting or catalog dictionary security hole
Reported by: dwkenned@comcast.net (David Kennedy)
Date: Sun, 14 Jan 2007 16:33:03 UTC
Severity: normal
Tags: security
Fixed in version xpdf/3.02-9
Done: Osamu Aoki <osamu@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Hamish Moffatt <hamish@debian.org>
:
Bug#406852
; Package xpdf-reader
.
(full text, mbox, link).
Acknowledgement sent to dwkenned@comcast.net (David Kennedy)
:
New Bug report received and forwarded. Copy sent to Hamish Moffatt <hamish@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Subject: xpdf: CVE-2007-0104 rogue Pages setting or catalog dictionary security hole
Package: xpdf-reader
Version: 3.01-9
Severity: normal
Tags: security
Hello,
I noticed this security advisory about xpdf v3.0.1 (patch 2) and
probably greater versions.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0104
http://projects.info-pull.com/moab/MOAB-06-01-2007.html
Here is an excerpt:
"The current specification is affected by a design flaw: a rogue Pages
setting or malicious catalog dictionary will lead to unexpected
conditions. This is apparently not contemplated, and it's assumed that
the PDF will contain valid references to it's page tree node and other
objects. Thus, when an invalid page tree node or object is referenced,
the application behavior is undefined. Potential conditions include, but
aren't limited to: memory corruption (dereferencing invalid pointers,
stack overflow/recursion, heap-based overflow), memory leaks and denial
of service (ex. infinite loop on page tree parsing)."
Note that this vulnerability affects other programs based on the xpdf
source.
"Note: Affects software based on it's source as well (gv, kpdf, poppler,
etc)."
David
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-rc3-l4
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages xpdf depends on:
ii xpdf-common 3.01-9 Portable Document Format (PDF) sui
ii xpdf-reader 3.01-9 Portable Document Format (PDF) sui
ii xpdf-utils 3.01-9 Portable Document Format (PDF) sui
xpdf recommends no packages.
Versions of packages xpdf-reader depends on:
ii gsfonts 1:8.11+urwcyr1.0.7~pre41-1 Fonts for the Ghostscript interpre
ii lesstif2 1:0.94.4-2 OSF/Motif 2.1 implementation relea
ii libc6 2.3.6.ds1-10 GNU C Library: Shared libraries
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libgcc1 1:4.1.1-21 GCC support library
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libpaper1 1.1.21 Library for handling paper charact
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
ii libt1-5 5.1.0-2 Type 1 font rasterizer library - r
ii libx11-6 2:1.0.3-4 X11 client-side library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxp6 1:1.0.0.xsf1-1 X Printing Extension (Xprint) clie
ii libxpm4 1:3.5.5-2 X11 pixmap library
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii xpdf-common 3.01-9 Portable Document Format (PDF) sui
ii zlib1g 1:1.2.3-13 compression library - runtime
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Hamish Moffatt <hamish@debian.org>
:
Bug#406852
; Package xpdf-reader
.
(full text, mbox, link).
Acknowledgement sent to Kees Cook <kees@outflux.net>
:
Extra info received and forwarded to list. Copy sent to Hamish Moffatt <hamish@debian.org>
.
(full text, mbox, link).
Message #10 received at 406852@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Tags: patch
Attached is a patch made by the koffice folks. I've applied this to
Ubuntu's xpdf.
--
Kees Cook @outflux.net
[90_CVE-2007-0104.dpatch (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>
:
Bug#406852
; Package xpdf-reader
.
(Sat, 17 Jul 2010 18:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Osamu Aoki <osamu@debian.org>
:
Extra info received and forwarded to list. Copy sent to Michael Gilbert <michael.s.gilbert@gmail.com>
.
(Sat, 17 Jul 2010 18:57:06 GMT) (full text, mbox, link).
Message #15 received at 406852@bugs.debian.org (full text, mbox, reply):
Hi,
I have uploaded package and closed required bugs. (With little trouble
...)
I think the following bug does not affect us any more since we use
poppler in this version.
http://bugs.debian.org/406852
Please confirm and close this bug with control@bugs.debian.org
fixed 406852 3.02-9
Osamu
Bug reassigned from package 'xpdf-reader' to 'xpdf'.
Request was from Osamu Aoki <osamu@debian.org>
to control@bugs.debian.org
.
(Sun, 18 Jul 2010 06:36:58 GMT) (full text, mbox, link).
Bug No longer marked as found in versions xpdf/3.01-9.
Request was from Osamu Aoki <osamu@debian.org>
to control@bugs.debian.org
.
(Sun, 18 Jul 2010 06:36:58 GMT) (full text, mbox, link).
Bug Marked as fixed in versions xpdf/3.02-9.
Request was from Osamu Aoki <osamu@debian.org>
to control@bugs.debian.org
.
(Sun, 18 Jul 2010 06:36:59 GMT) (full text, mbox, link).
Reply sent
to Osamu Aoki <osamu@debian.org>
:
You have taken responsibility.
(Sun, 18 Jul 2010 06:37:01 GMT) (full text, mbox, link).
Notification sent
to dwkenned@comcast.net (David Kennedy)
:
Bug acknowledged by developer.
(Sun, 18 Jul 2010 06:37:01 GMT) (full text, mbox, link).
Message #26 received at 406852-done@bugs.debian.org (full text, mbox, reply):
reassign 406852 xpdf
fixed 406852 3.02-9
thanks
It looks like we are not building buggy code since we use poppler as
library afer 3.02-9. If I am mistaken, please reopen this.
$ debian/rules prepare
mkdir -p build
cp goo/parseargs.* xpdf/CoreOutputDev.* xpdf/GlobalParams.* build
cp xpdf/PDFCore.* xpdf/XPDFApp.* xpdf/XPDFCore.* xpdf/XPDFTree.* build
cp xpdf/XPDFTreeP.h xpdf/XPDFViewer.* xpdf/xpdf.cc build
# perform extensive goo rename (as required by poppler)
sed -i s/GString/GooString/g build/*
sed -i s/GMutex/GooMutex/g build/*
sed -i s/GHash/GooHash/g build/*
sed -i s/GList/GooList/g build/*
sed -i s/\<aconf\.h\>/\<poppler-config\.h\>/g build/*
cp xpdf/config.h xpdf/about-text.h xpdf/*.xbm xpdf/xpdfIcon.xpm build
Patch is against non-used portion.
diff -urNad xpdf-3.01~/xpdf/Catalog.cc xpdf-3.01/xpdf/Catalog.cc
--- xpdf-3.01~/xpdf/Catalog.cc 2005-08-16 22:34:31.000000000 -0700
+++ xpdf-3.01/xpdf/Catalog.cc 2007-01-24 17:03:21.143417464 -0800
Osamu
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 18 Sep 2010 07:34:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:29:23 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.