Package: gpdf
Version: 2.8.1-1
Severity: grave
Tags: security patch upstream fixed-upstream
The NEWS file for the new upstream release (2.8.2) says:
* Fix potential buffer overflow in xpdf colorspace handling code.
(Derek Noonburg) - CAN 2004-1125
Here's that issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125 :
+-----------------------------------------------------------------------------+
|Name |CAN-2004-1125 (under review) |
|-----------+-----------------------------------------------------------------|
| |Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf |
| |3.00, and other products that share code such as tetex-bin and |
|Description|kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows remote |
| |attackers to cause a denial of service (application crash) and |
| |possibly execute arbitrary code via a crafted PDF file that |
| |causes the boundaries of a maskColors array to be exceeded. |
|-----------+-----------------------------------------------------------------|
| | * IDEFENSE:20041221 Multiple Vendor xpdf PDF Viewer Buffer |
| | Overflow Vulnerability |
| | * URL:http://http://www.idefense.com/application/poi/display?id|
| | =172&type=vulnerabilities |
| | * CONFIRM:ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch |
| | * CONFIRM:http://www.kde.org/info/security/ |
| | advisory-20041223-1.txt |
| | * BUGTRAQ:20041228 KDE Security Advisory: kpdf Buffer Overflow |
|References | Vulnerability |
| | * URL:http://marc.theaimsgroup.com/?t=110378596500001&r=1&w=2 |
| | * FULLDISC:20041223 [USN-48-1] xpdf, tetex-bin vulnerabilities |
| | * URL:http://lists.netsys.com/pipermail/full-disclosure/ |
| | 2004-December/030241.html |
| | * BUGTRAQ:20041223 [USN-50-1] CUPS vulnerabilities |
| | * URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110384680309105|
| | &w=2 |
| | * XF:xpdf-gfx-doimage-bo(18641) |
| | * URL:http://xforce.iss.net/xforce/xfdb/18641 |
|-----------+-----------------------------------------------------------------|
|Phase |Assigned (20041202) |
|-----------+-----------------------------------------------------------------|
|Votes | |
|-----------+-----------------------------------------------------------------|
|Comments | |
+-----------------------------------------------------------------------------+
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (800, 'unstable'), (750, 'experimental'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.29-rc2
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)
Versions of packages gpdf depends on:
ii libart-2.0-2 2.3.16-6 Library of functions for 2D graphi
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libbonobo2-0 2.8.0-4 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.8.0-2 The Bonobo UI library
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-7 GCC support library
ii libgconf2-4 2.8.1-4 GNOME configuration database syste
ii libglade2-0 1:2.4.1-1 Library to load .glade files at ru
ii libglib2.0-0 2.4.8-1 The GLib library of C routines
ii libgnome2-0 2.8.0-6 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.8.0-1 A powerful object-oriented display
ii libgnomeprint2.2-0 2.8.2-1 The GNOME 2.2 print architecture -
ii libgnomeprintui2.2-0 2.8.2-1 The GNOME 2.2 print architecture U
ii libgnomeui-0 2.8.0-3 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 2.8.3-8 The GNOME virtual file-system libr
ii libgtk2.0-0 2.4.14-2 The GTK+ graphical user interface
ii libice6 4.3.0.dfsg.1-10 Inter-Client Exchange library
ii liborbit2 1:2.10.2-1.1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.6.0-3 Layout and rendering of internatio
ii libpaper1 1.1.14-3 Library for handling paper charact
ii libpopt0 1.7-5 lib for parsing cmdline parameters
ii libsm6 4.3.0.dfsg.1-10 X Window System Session Management
ii libstdc++5 1:3.3.5-6 The GNU Standard C++ Library v3
ii libxml2 2.6.11-5 GNOME XML library
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
--
Obsig: developing a new sig
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
