Debian Bug report logs - #342337
xpdf: Security hole CAN-2005-3193

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jan Niehusmann <jan@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: xpdf: Security hole CAN-2005-3193

Date: Wed, 7 Dec 2005 10:30:15 +0100

Package: xpdf-reader
Version: 3.00-13
Severity: grave
Tags: security patch
Justification: user security hole

CAN-2005-3193 lists a security hole of xpdf. A fix is available at 
http://www.foolabs.com/xpdf/download.html (the patch seems to be
suitable for a security update - only overflow protection added, no new
features). It applies cleanly to the debian package.

Reportbug just told me there is a new version in incoming. I guess it'll
fix the issue, but I decided to still post this report mainly for
reference.

According to http://www.frsirt.com/english/advisories/2005/2755, "Xpdf
version 3.0.1 and prior" are affected, so this may affect sarge and
woody. Most of the patch applies cleanly to the sarge version, with a
single hunk needing manual changes (the code switched from gmalloc to
gmallocn between 3.0 and 3.01). The woody version does not contain the
affected code file. I did _not_ check whether equivalent code is
contained in some other source file.

Based on these observations, I set the version header to 3.00-13.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'oldstable'), (500, 'testing'), (500, 'stable'), (101, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-rc2-ged73a36d
Locale: LANG=C, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages xpdf depends on:
ii  xpdf-common                   3.01-2     Portable Document Format (PDF) sui
ii  xpdf-reader                   3.01-2     Portable Document Format (PDF) sui
ii  xpdf-utils                    3.01-2     Portable Document Format (PDF) sui

xpdf recommends no packages.

Versions of packages xpdf-reader depends on:
ii  gsfonts               8.14+v8.11+urw-0.2 Fonts for the Ghostscript interpre
ii  lesstif2              1:0.94.4-1         OSF/Motif 2.1 implementation relea
ii  libc6                 2.3.5-8.1          GNU C Library: Shared libraries an
ii  libfreetype6          2.1.10-1           FreeType 2 font engine, shared lib
ii  libgcc1               1:4.0.2-5          GCC support library
ii  libice6               6.8.2.dfsg.1-11    Inter-Client Exchange library
ii  libpaper1             1.1.14-3           Library for handling paper charact
ii  libsm6                6.8.2.dfsg.1-11    X Window System Session Management
ii  libstdc++6            4.0.2-5            The GNU Standard C++ Library v3
ii  libt1-5               5.1.0-2            Type 1 font rasterizer library - r
ii  libx11-6              6.8.2.dfsg.1-11    X Window System protocol client li
ii  libxext6              6.8.2.dfsg.1-11    X Window System miscellaneous exte
ii  libxp6                6.8.2.dfsg.1-11    X Window System printing extension
ii  libxpm4               6.8.2.dfsg.1-11    X pixmap library
ii  libxt6                6.8.2.dfsg.1-11    X Toolkit Intrinsics
ii  xlibs                 6.8.2.dfsg.1-11    X Window System client libraries m
ii  xpdf-common           3.01-2             Portable Document Format (PDF) sui
ii  zlib1g                1:1.2.3-8          compression library - runtime

-- no debconf information

Message #10 received at 342337@bugs.debian.org (full text, mbox, reply):

From: Hamish Moffatt <hamish@debian.org>

To: Jan Niehusmann <jan@debian.org>, 342337@bugs.debian.org

Subject: Re: Bug#342337: xpdf: Security hole CAN-2005-3193

Date: Wed, 7 Dec 2005 23:42:08 +1100

merge 342281 342337
thanks

On Wed, Dec 07, 2005 at 10:30:15AM +0100, Jan Niehusmann wrote:
> Package: xpdf-reader
> Version: 3.00-13
> Severity: grave
> Tags: security patch
> Justification: user security hole
> 
> CAN-2005-3193 lists a security hole of xpdf. A fix is available at 
> http://www.foolabs.com/xpdf/download.html (the patch seems to be
> suitable for a security update - only overflow protection added, no new
> features). It applies cleanly to the debian package.
> 
> Reportbug just told me there is a new version in incoming. I guess it'll
> fix the issue, but I decided to still post this report mainly for
> reference.

Thanks, but your report is identical to #342281.

The fixed version is an update to 3.01, not 3.00.

#342281 is already fixed in unstable. sarge and woody fixes are pending
(as we need to create our own patch).


Hamish
-- 
Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>

Message #15 received at 342337@bugs.debian.org (full text, mbox, reply):

From: Jan Niehusmann <jan@gondor.com>

To: Hamish Moffatt <hamish@debian.org>

Cc: 342337@bugs.debian.org

Subject: Re: Bug#342337: xpdf: Security hole CAN-2005-3193

Date: Wed, 7 Dec 2005 14:00:55 +0100

On Wed, Dec 07, 2005 at 11:42:08PM +1100, Hamish Moffatt wrote:
> merge 342281 342337

Oops - I'm sorry, I missed that report.

> The fixed version is an update to 3.01, not 3.00.

I know, but the patch applies to 3.00 without much trouble.

> #342281 is already fixed in unstable. sarge and woody fixes are pending
> (as we need to create our own patch).

Ok, so you noticed that my analysis was not completely correct - while
the woody version indeed doesn't contain JPXStream.cc (and consequently,
the JPX stream reader bug doesn't exist in woody), the other security
holes (in Stream.cc) do exist in woody and need patching.

Sorry for all the noise :-(

Jan

Message #20 received at 342337@bugs.debian.org (full text, mbox, reply):

From: Hamish Moffatt <hamish@debian.org>

To: Jan Niehusmann <jan@gondor.com>

Cc: 342337@bugs.debian.org

Subject: Re: Bug#342337: xpdf: Security hole CAN-2005-3193

Date: Thu, 8 Dec 2005 00:12:09 +1100

On Wed, Dec 07, 2005 at 02:00:55PM +0100, Jan Niehusmann wrote:
> On Wed, Dec 07, 2005 at 11:42:08PM +1100, Hamish Moffatt wrote:
> > merge 342281 342337
> Oops - I'm sorry, I missed that report.

That's ok, thanks for helping.

> > The fixed version is an update to 3.01, not 3.00.
> I know, but the patch applies to 3.00 without much trouble.

Yes I have 3.00-13.1 ready to go now and will contact the security team
about uploading it.

> > #342281 is already fixed in unstable. sarge and woody fixes are pending
> > (as we need to create our own patch).
> 
> Ok, so you noticed that my analysis was not completely correct - while
> the woody version indeed doesn't contain JPXStream.cc (and consequently,
> the JPX stream reader bug doesn't exist in woody), the other security
> holes (in Stream.cc) do exist in woody and need patching.

I'll work on that next, but it won't be for a day or two due to time
constraints. It looks like a bit more work that woody. You are welcome
to work on it if you like.

Regards

Hamish
-- 
Hamish Moffatt VK3SB <hamish@debian.org> <hamish@cloud.net.au>

Message #29 received at 342337@bugs.debian.org (full text, mbox, reply):

From: Jan Niehusmann <jan@gondor.com>

To: Hamish Moffatt <hamish@debian.org>

Cc: 342337@bugs.debian.org

Subject: Re: Bug#342337: xpdf: Security hole CAN-2005-3193

Date: Wed, 7 Dec 2005 15:59:20 +0100

[Message part 1 (text/plain, inline)]

On Thu, Dec 08, 2005 at 12:12:09AM +1100, Hamish Moffatt wrote:
> On Wed, Dec 07, 2005 at 02:00:55PM +0100, Jan Niehusmann wrote:
> > Ok, so you noticed that my analysis was not completely correct - while
> > the woody version indeed doesn't contain JPXStream.cc (and consequently,
> > the JPX stream reader bug doesn't exist in woody), the other security
> > holes (in Stream.cc) do exist in woody and need patching.
> 
> I'll work on that next, but it won't be for a day or two due to time
> constraints. It looks like a bit more work that woody. You are welcome
> to work on it if you like.

Well I don't have time to verify that all holes are actually closed, but
the attached patch applies cleanly, and the result does compile on sarge
(not tested on woody, as I don't have an installation available).

Jan

[xpdf-1.00-security-patch (text/plain, attachment)]

Send a report that this bug log contains spam.