On Thursday 08 November 2007 02:42, Secunia Research wrote: > ====================================================================== > 1) Affected Software > > * Xpdf 3.02 with xpdf-3.02pl1.patch. > > NOTE: Other versions may also be affected. These vulnerabilities also affect the poppler library for versions prior to 0.6.2. The code is essentially the same.
See http://poppler.freedesktop.org > ====================================================================== > 5) Solution > > Do not open untrusted PDF files. > > The vendor is reportedly working on a patch. There is a patch available for xpdf from the vendors website ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl2.patch For poppler, I suggest you upgrade to 0.6.2, which has the pl2 fixes merged: http://poppler.freedesktop.org/poppler-0.6.2.tar.gz. Poppler 0.6.2 incorporates the following changes (relative to 0.6.1): poppler core: * Fix CVE-2007-4352, CVE-2007-5392 and CVE-2007-5393 * Fix a crash on documents with wrong CCITTFaxStream * Fix a crash in the Cairo renderer with invalid embedded fonts * Fix a crash with invalid TrueType fonts * Check if font is inside the clip area before rendering it to a temporary bitmap in the Splash renderer. Fixes crashes on incorrect documents * Do not use exit(1) on DCTStream errors * Detect form fields at any depth level * Do not generate appearance stream for radio buttons that are not active * mingw fixes build system: * Require fontconfig >= 2.0 * builddir != srcdir fixes Qt4 frontend: * Improved documentation misc: * Fix FSF address If you are patching xpdf for GPL release, you might like to extract the crash fixes from poppler 0.6.2 and incorporate those as well. See: http://cgit.freedesktop.org/poppler/poppler/log/?h=poppler-0.6 Brad
pgpMp0Bx6YWCO.pgp
Description: PGP signature
_______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
