FS#21259 - [xpdf] 3.02_pl4 Security flaw
Attached to Project:
Arch Linux
Opened by Nick (clu) - Thursday, 14 October 2010, 21:57 GMT
Last edited by Andrea Scarpino (BaSh) - Saturday, 23 October 2010, 12:47 GMT
Opened by Nick (clu) - Thursday, 14 October 2010, 21:57 GMT
Last edited by Andrea Scarpino (BaSh) - Saturday, 23 October 2010, 12:47 GMT
|
Details
Description: A security flaw has been found in xpdf.
The issue is detailed in https://rhn.redhat.com/errata/RHSA-2010-0750.html Xpdf has no bug tracker so nothing has been filed upstream. Because this is filed in redhat I'm assuming the author has been contacted about the issue. Additional info: * version: 3.02_pl4 (latest version of xpdf from 2009) Steps to reproduce: N/A |
This task depends upon
Closed by Andrea Scarpino (BaSh)
Saturday, 23 October 2010, 12:47 GMT
Reason for closing: Fixed
Additional comments about closing: xpdf 3.02_pl5-1
Saturday, 23 October 2010, 12:47 GMT
Reason for closing: Fixed
Additional comments about closing: xpdf 3.02_pl5-1
Am I missing something here?
They have definitely added patches to the xpdf source for both CVE-2010-3702 and CVE-2010-3704 (dated October 5th, 2010). There is certainly a vulnerability within the xpdf source code and because it is so widely used it's a significant vulnerability. You'll see that they have set parser = Null; in the Gfx.cc code in xpdf which is one of the same problems that poppler had.
I think it is maintained very slowly. The last version was in 2009 which is not too long ago for a very old pdf viewer. Yes impressive does depend on xpdf so it could also be affected.
Thanks, all.