FS#21259 - [xpdf] 3.02_pl4 Security flaw

Attached to Project: Arch Linux
Opened by Nick (clu) - Thursday, 14 October 2010, 21:57 GMT
Last edited by Andrea Scarpino (BaSh) - Saturday, 23 October 2010, 12:47 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Andrea Scarpino (BaSh)
Dan Griffiths (Ghost1227)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description: A security flaw has been found in xpdf.
The issue is detailed in https://rhn.redhat.com/errata/RHSA-2010-0750.html

Xpdf has no bug tracker so nothing has been filed upstream. Because this is filed in redhat I'm assuming the author has been contacted about the issue.

Additional info:
* version: 3.02_pl4 (latest version of xpdf from 2009)

Steps to reproduce:
N/A
This task depends upon

Closed by  Andrea Scarpino (BaSh)
Saturday, 23 October 2010, 12:47 GMT
Reason for closing:  Fixed
Additional comments about closing:  xpdf 3.02_pl5-1
Comment by Nick (clu) - Thursday, 14 October 2010, 22:26 GMT
Note: This flaw actually applies to xpdf versions 3.00 and above (Not just 3.02_pl4).
Comment by Leonid Isaev (lisaev) - Friday, 15 October 2010, 18:54 GMT
According to the link you posted, it is not a bug in xpdf, but poppler. We have 0.14.4 from 10/06, which supposedly fixes this (corresponding commits are dated Sep. 21).
Comment by Nick (clu) - Friday, 15 October 2010, 21:26 GMT
From the bug attachments in there I got the impression that the vulnerability was in the source of both xpdf and poppler. See https://bugzilla.redhat.com/show_bug.cgi?id=638960

Am I missing something here?
Comment by Nick (clu) - Friday, 15 October 2010, 21:47 GMT
Yeah, I'm not missing anything. Check the patches in this source: http://ftp.redhat.com/pub/redhat/linux/updates/enterprise/4ES/en/os/SRPMS/xpdf-3.00-24.el4_8.1.src.rpm

They have definitely added patches to the xpdf source for both CVE-2010-3702 and CVE-2010-3704 (dated October 5th, 2010). There is certainly a vulnerability within the xpdf source code and because it is so widely used it's a significant vulnerability. You'll see that they have set parser = Null; in the Gfx.cc code in xpdf which is one of the same problems that poppler had.
Comment by Leonid Isaev (lisaev) - Saturday, 16 October 2010, 16:42 GMT
Duh... forgot that xpdf uses its own "poppler". BTW, is xpdf maintained at all, or every distro just patches it? Also, impressive from /community depends on xpdf, so it is also affected by the above CVE, right?
Comment by Ionut Biru (wonder) - Saturday, 16 October 2010, 17:24 GMT
we are missing all security patches for it :).
Comment by Nick (clu) - Sunday, 17 October 2010, 22:43 GMT
lisaev:
I think it is maintained very slowly. The last version was in 2009 which is not too long ago for a very old pdf viewer. Yes impressive does depend on xpdf so it could also be affected.
Comment by Nick (clu) - Friday, 22 October 2010, 00:19 GMT
It looks like the xpdf dev was notified and there is an official fix upstream. 3.02_pl5 was released for security fixes (http://www.foolabs.com/xpdf/download.html). Now we don't even need to do any weird patching! I have flagged xpdf as out of date. When xpdf is updated this bug should be closed although it should be noted that the older versions (3.00 up to 3.02_pl4) are still vulnerable.

Thanks, all.

Loading...