Ubuntu
xpdf package

[Security] xpdf - CVE-2010-3702,3704

Bug #701220 reported by Brian Thomason on 2011-01-10

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	xpdf (Ubuntu)	Fix Released	Medium	Unassigned
	Karmic	Fix Released	Medium	Unassigned
	Lucid	Fix Released	Medium	Unassigned
	Maverick	Fix Released	Medium	Unassigned
	Natty	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: xpdf

CVE-2010-3702:

The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler
0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and
possibly other products allows context-dependent attackers to cause a
denial of service (crash) via unknown vectors that trigger an uninitialized
pointer dereference.

CVE-2010-3704:

The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser in
xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to
0.15.1, kdegraphics, and possibly other products allows context-dependent
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a PDF file with a crafted Type1 font that contains a
negative array index, which bypasses input validation and which triggers
memory corruption.

Related branches

lp:ubuntu/karmic-security/xpdf

lp:ubuntu/lucid-security/xpdf

lp:ubuntu/maverick-security/xpdf

CVE References

Revision history for this message

Brian Thomason (brian-thomason) wrote on 2011-01-10:

#1

debdiff for Karmic Edit (2.8 KiB, text/plain)

Revision history for this message

Scott Kitterman (kitterman) wrote on 2011-01-10: Re: [Bug 701220] [NEW] [Security] xpdf - CVE-2010-3702,3704

#2

Note that despite the description, our kdegraphics packages aren't directly
affected as they use the system xpdf and not an embedded copy (like upstream
did).

Marc Deslauriers (mdeslaur) on 2011-01-10

visibility:	private → public
Changed in xpdf (Ubuntu):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-01-19:

#3

These are fixed in 3.02-12ubuntu1 in natty.

Changed in xpdf (Ubuntu Natty):
status:	Confirmed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-01-19:

#4

ACK, though the changelog was missing an LP reference.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-01-19:

#5

Uploaded to security PPA.

Changed in xpdf (Ubuntu Karmic):
status:	New → Fix Committed
importance:	Undecided → Medium

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-01-19:

#6

Brian, thanks for the debdiffs! Lucid and maverick also seem to be affected. Are you planning uploads for them as well?

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-01-20:

#7

This bug was fixed in the package xpdf - 3.02-1.4ubuntu2.9.10.2

---------------
xpdf (3.02-1.4ubuntu2.9.10.2) karmic-security; urgency=low

  * SECURITY UPDATE: Gfx::getPos function allows context-dependent attackers to
    cause a denial of service (crash) via unknown vectors that trigger an
    uninitialized pointer dereference.
    - cve-2010-3702.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3702
    - LP: #701220
  * SECURITY UPDATE: FoFiType1::parse function allows context-dependent
    attackers to cause a denial of service (crash) and possibly execute
    arbitrary code via a PDF file with a crafted Type1 font that contains a
    negative array index, which bypasses input validation and which triggers
    memory corruption.
    - cve-2010-3704.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3704
-- Brian Thomason <email address hidden> Mon, 10 Jan 2011 15:32:39 -0500

Changed in xpdf (Ubuntu Karmic):
status:	Fix Committed → Fix Released

Revision history for this message

Brian Thomason (brian-thomason) wrote on 2011-01-20:

#8

debdiff for Lucid Edit (3.4 KiB, text/plain)

Revision history for this message

Brian Thomason (brian-thomason) wrote on 2011-01-20:

#9

debdiff for Maverick Edit (3.4 KiB, text/plain)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-01-21:

#10

It would be nice if they didn't have the .dpatch extension now that quilt is used, but as Debian didn't update their patchset for that, I won't require here. Thanks for your work on this!

ACK to lucid and maverick patches.

Changed in xpdf (Ubuntu Lucid):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in xpdf (Ubuntu Maverick):
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-01-21:

#11

Uploaded both lucid and maverick to the security PPA.

Changed in xpdf (Ubuntu Lucid):
status:	Confirmed → Fix Committed
Changed in xpdf (Ubuntu Maverick):
status:	Confirmed → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-01-21:

#12

This bug was fixed in the package xpdf - 3.02-9ubuntu1.1

---------------
xpdf (3.02-9ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: Gfx::getPos function allows context-dependent attackers to
    cause a denial of service (crash) via unknown vectors that trigger an
    uninitialized pointer dereference. (LP: #701220)
    - cve-2010-3702.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3702
  * SECURITY UPDATE: FoFiType1::parse function allows context-dependent
    attackers to cause a denial of service (crash) and possibly execute
    arbitrary code via a PDF file with a crafted Type1 font that contains a
    negative array index, which bypasses input validation and which triggers
    memory corruption. (LP: #701220)
    - cve-2010-3704.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3704
-- Brian Thomason <email address hidden> Thu, 20 Jan 2011 17:05:14 -0500

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-01-21:

#13

This bug was fixed in the package xpdf - 3.02-2ubuntu1.1

---------------
xpdf (3.02-2ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: Gfx::getPos function allows context-dependent attackers to
    cause a denial of service (crash) via unknown vectors that trigger an
    uninitialized pointer dereference. (LP: #701220)
    - cve-2010-3702.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3702
  * SECURITY UPDATE: FoFiType1::parse function allows context-dependent
    attackers to cause a denial of service (crash) and possibly execute
    arbitrary code via a PDF file with a crafted Type1 font that contains a
    negative array index, which bypasses input validation and which triggers
    memory corruption. (LP: #701220)
    - cve-2010-3704.dpatch: Patch provided by Debian (courtesy of Michael Gilbert)
    - CVE-2010-3704
-- Brian Thomason <email address hidden> Thu, 20 Jan 2011 16:49:30 -0500

Changed in xpdf (Ubuntu Lucid):
status:	Fix Committed → Fix Released
Changed in xpdf (Ubuntu Maverick):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.