Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#63980 - [xpdf] <4.0.2 Multiple memory corruption issues, CVE CVE-2019-16927

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Tuesday, 01 October 2019, 15:20 GMT
Last edited by Jan de Groot (JGC) - Friday, 25 October 2019, 07:35 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Archlinux corrently ships xpdf 4.01.01-2.

Upstream has released xpdf 4.0.2, fixing a large number of memory corruption issues. The latest of those issues has been assigned CVE-2019-16927, but that one seems to be just the tip of the iceberg. Sadly, the shortened release notes on upstream's internet site don't contain any information whatsoever about security-relevant changes, but at least you can find them in the CHANGES file inside the source code tarball.

MITRE hasn't yet assigned a CVSS rating, but the German government's Federal Office for Information Security considers the CVE's severity "high" and claims it allows a remote attacker to execute malicious code with the victim user's privileges:
This task depends upon

Closed by  Jan de Groot (JGC)
Friday, 25 October 2019, 07:35 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.0.2 is packaged