Your message dated Tue, 12 Apr 2005 08:55:35 +0200
with message-id <[EMAIL PROTECTED]>
and subject line I made a mistake - gpdf _is_ already fixed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Jan 2005 16:47:22 +0000
>From [EMAIL PROTECTED] Wed Jan 19 08:47:22 2005
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CrIzJ-0006ZR-00; Wed, 19 Jan 2005 08:47:21 -0800
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id EC497366B9E; Wed, 19 Jan 2005 17:47:24 +0100 (CET)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <[EMAIL PROTECTED]>
for [EMAIL PROTECTED]; Wed, 19 Jan 2005 17:44:36 +0100 (CET)
Date: Wed, 19 Jan 2005 17:44:36 +0100
From: Martin Schulze <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: CAN-2005-0064: Arbitrary code execution in gpdf
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="l8HeubOa6/3yq29t"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--l8HeubOa6/3yq29t
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Package: gpdf
Severity: grave
Tags: security sarge sid
This problem also affects gpdf:
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064
Reference: IDEFENSE:20050118 Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack
Overflow
Reference:
URL:http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities
Reference: CONFIRM:ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc
for xpdf 3.00 and earlier allows remote attackers to execute arbitrary
code via a PDF file with a large /Encrypt /Length keyLength value.
You'll find the patch in the source of xpdf 3.00-12 which I'm attaching.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
--l8HeubOa6/3yq29t
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2005-0064.xpdf_3.00"
diff -u xpdf-3.00/debian/changelog xpdf-3.00/debian/changelog
--- xpdf-3.00/debian/changelog
+++ xpdf-3.00/debian/changelog
@@ -1,3 +1,12 @@
+xpdf (3.00-12) unstable; urgency=high
+
+ * SECURITY UPDATE: Fixed buffer overflow that could overwrite the stack
+ and hence cause the execution of arbitrary code as reported by
+ iDEFENSE (xpdf/Decrypt.cc)
+ * References: CAN-2005-0064
+
+ -- Hamish Moffatt <[EMAIL PROTECTED]> Wed, 19 Jan 2005 23:48:56 +1100
+
xpdf (3.00-11) unstable; urgency=high
* SECURITY UPDATE: fix potential buffer overflow
only in patch2:
--- xpdf-3.00.orig/xpdf/Decrypt.cc
+++ xpdf-3.00/xpdf/Decrypt.cc
@@ -73,6 +73,11 @@
Guchar fx, fy;
int len, i, j;
+ // check whether we have non-zero keyLength
+ if ( !keyLength ) {
+ return gFalse;
+ }
+
// try using the supplied owner password to generate the user password
*ownerPasswordOk = gFalse;
if (ownerPassword) {
@@ -98,7 +103,7 @@
} else {
memcpy(test2, ownerKey->getCString(), 32);
for (i = 19; i >= 0; --i) {
- for (j = 0; j < keyLength; ++j) {
+ for (j = 0; j < keyLength && j < 16; ++j) {
tmpKey[j] = test[j] ^ i;
}
rc4InitKey(tmpKey, keyLength, fState);
@@ -135,6 +140,11 @@
int len, i, j;
GBool ok;
+ // check whether we have non-zero keyLength
+ if ( !keyLength ) {
+ return gFalse;
+ }
+
// generate file key
buf = (Guchar *)gmalloc(68 + fileID->getLength());
if (userPassword) {
@@ -172,7 +182,7 @@
} else if (encRevision == 3) {
memcpy(test, userKey->getCString(), 32);
for (i = 19; i >= 0; --i) {
- for (j = 0; j < keyLength; ++j) {
+ for (j = 0; j < keyLength && j < 16; ++j) {
tmpKey[j] = fileKey[j] ^ i;
}
rc4InitKey(tmpKey, keyLength, fState);
--l8HeubOa6/3yq29t--
---------------------------------------
Received: (at 291244-done) by bugs.debian.org; 12 Apr 2005 06:55:37 +0000
>From [EMAIL PROTECTED] Mon Apr 11 23:55:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLFJB-0006vp-00; Mon, 11 Apr 2005 23:55:37 -0700
Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50)
id 1DLFJ9-0001Nt-Fu
for [EMAIL PROTECTED]; Tue, 12 Apr 2005 08:55:35 +0200
Date: Tue, 12 Apr 2005 08:55:35 +0200
To: [EMAIL PROTECTED]
Subject: I made a mistake - gpdf _is_ already fixed
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Sorry for the noise; I missed the 000_checks.patch in debian/patches.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
