Your message dated Tue, 05 Apr 2005 15:48:47 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#291250: fixed in pdftohtml 0.36-11
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Jan 2005 16:57:21 +0000
>From [EMAIL PROTECTED] Wed Jan 19 08:57:20 2005
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CrJ8y-0000da-00; Wed, 19 Jan 2005 08:57:20 -0800
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id 0917F366B99; Wed, 19 Jan 2005 17:57:24 +0100 (CET)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <[EMAIL PROTECTED]>
for [EMAIL PROTECTED]; Wed, 19 Jan 2005 17:48:24 +0100 (CET)
Date: Wed, 19 Jan 2005 17:48:24 +0100
From: Martin Schulze <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: CAN-2005-0064: Arbitrary code execution in pdftohtml
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="ZNVTcEKCPbqKmts+"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--ZNVTcEKCPbqKmts+
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Package: pdftohtml
Severity: grave
Tags: security sarge sid
This problem also affects pdftohtml:
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064
Reference: IDEFENSE:20050118 Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack
Overflow
Reference:
URL:http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities
Reference: CONFIRM:ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc
for xpdf 3.00 and earlier allows remote attackers to execute arbitrary
code via a PDF file with a large /Encrypt /Length keyLength value.
You'll find the patch in the source of xpdf 3.00-12 which I'm attaching.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
--ZNVTcEKCPbqKmts+
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2005-0064.xpdf_3.00"
diff -u xpdf-3.00/debian/changelog xpdf-3.00/debian/changelog
--- xpdf-3.00/debian/changelog
+++ xpdf-3.00/debian/changelog
@@ -1,3 +1,12 @@
+xpdf (3.00-12) unstable; urgency=high
+
+ * SECURITY UPDATE: Fixed buffer overflow that could overwrite the stack
+ and hence cause the execution of arbitrary code as reported by
+ iDEFENSE (xpdf/Decrypt.cc)
+ * References: CAN-2005-0064
+
+ -- Hamish Moffatt <[EMAIL PROTECTED]> Wed, 19 Jan 2005 23:48:56 +1100
+
xpdf (3.00-11) unstable; urgency=high
* SECURITY UPDATE: fix potential buffer overflow
only in patch2:
--- xpdf-3.00.orig/xpdf/Decrypt.cc
+++ xpdf-3.00/xpdf/Decrypt.cc
@@ -73,6 +73,11 @@
Guchar fx, fy;
int len, i, j;
+ // check whether we have non-zero keyLength
+ if ( !keyLength ) {
+ return gFalse;
+ }
+
// try using the supplied owner password to generate the user password
*ownerPasswordOk = gFalse;
if (ownerPassword) {
@@ -98,7 +103,7 @@
} else {
memcpy(test2, ownerKey->getCString(), 32);
for (i = 19; i >= 0; --i) {
- for (j = 0; j < keyLength; ++j) {
+ for (j = 0; j < keyLength && j < 16; ++j) {
tmpKey[j] = test[j] ^ i;
}
rc4InitKey(tmpKey, keyLength, fState);
@@ -135,6 +140,11 @@
int len, i, j;
GBool ok;
+ // check whether we have non-zero keyLength
+ if ( !keyLength ) {
+ return gFalse;
+ }
+
// generate file key
buf = (Guchar *)gmalloc(68 + fileID->getLength());
if (userPassword) {
@@ -172,7 +182,7 @@
} else if (encRevision == 3) {
memcpy(test, userKey->getCString(), 32);
for (i = 19; i >= 0; --i) {
- for (j = 0; j < keyLength; ++j) {
+ for (j = 0; j < keyLength && j < 16; ++j) {
tmpKey[j] = fileKey[j] ^ i;
}
rc4InitKey(tmpKey, keyLength, fState);
--ZNVTcEKCPbqKmts+--
---------------------------------------
Received: (at 291250-close) by bugs.debian.org; 5 Apr 2005 20:08:14 +0000
>From [EMAIL PROTECTED] Tue Apr 05 13:08:13 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DIuLN-0004XJ-00; Tue, 05 Apr 2005 13:08:13 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DIu2Z-0002LI-00; Tue, 05 Apr 2005 15:48:47 -0400
From: Frederic Peters <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#291250: fixed in pdftohtml 0.36-11
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 05 Apr 2005 15:48:47 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: pdftohtml
Source-Version: 0.36-11
We believe that the bug you reported is fixed in the latest version of
pdftohtml, which is due to be installed in the Debian FTP archive:
pdftohtml_0.36-11.diff.gz
to pool/main/p/pdftohtml/pdftohtml_0.36-11.diff.gz
pdftohtml_0.36-11.dsc
to pool/main/p/pdftohtml/pdftohtml_0.36-11.dsc
pdftohtml_0.36-11_i386.deb
to pool/main/p/pdftohtml/pdftohtml_0.36-11_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Frederic Peters <[EMAIL PROTECTED]> (supplier of updated pdftohtml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 5 Apr 2005 21:32:37 +0200
Source: pdftohtml
Binary: pdftohtml
Architecture: source i386
Version: 0.36-11
Distribution: unstable
Urgency: high
Maintainer: Frederic Peters <[EMAIL PROTECTED]>
Changed-By: Frederic Peters <[EMAIL PROTECTED]>
Description:
pdftohtml - Translates pdf documents into html format
Closes: 291250
Changes:
pdftohtml (0.36-11) unstable; urgency=high
.
* debian/patches/09_CAN-2005-0064-2.dpatch: adds missing range limitation;
other part of CAN-2005-0064. (closes: #291250)
- thanks to Moritz Muehlenhoff
* Urgency high since security related.
Files:
2288f7928c03180eb957462a8edc5dbc 589 text optional pdftohtml_0.36-11.dsc
3461dbfb6e41e58ab86fca2e88ebe51e 9461 text optional pdftohtml_0.36-11.diff.gz
6db7eb4ac43616f355cf2ad8fc935865 253142 text optional
pdftohtml_0.36-11_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCUuhNoR3LsWeD7V4RAowHAJ9mhpjMQCKSwfHtSmdH6HBxEI8CxwCfc22h
4GDnxmb9Vlkqzd0NDQuEPBU=
=UToy
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
