Headline
CVE-2022-24107: Xpdf Security Fixes
Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc.
CVE-2018-7173: fixed in 4.01 [JBIG2Stream.cc]
CVE-2018-7174: fixed in 4.01 [XRef.cc]
CVE-2018-7175: fixed in 4.01 [JPXStream.cc]
CVE-2018-7452: fixed in 4.01 [JPXStream.cc]
CVE-2018-7453: loop in PDF objects; will be fixed in 5.00
CVE-2018-7454: fixed in 4.01 [XFAForm.cc]
CVE-2018-7455: fixed in 4.01 [JPXStream.cc]
CVE-2018-8100: fixed in 4.01 [JPXStream.cc]
CVE-2018-8101: fixed in 4.01 [JPXStream.cc]
CVE-2018-8102: fixed in 4.01 [JBIG2Stream.cc]
CVE-2018-8103: fixed in 4.01 [JBIG2Stream.cc]
CVE-2018-8104: fixed in 4.01 [JPXStream.cc]
CVE-2018-8105: fixed in 4.01 [JPXStream.cc]
CVE-2018-8106: fixed in 4.01 [JPXStream.cc]
CVE-2018-8107: fixed in 4.01 [JPXStream.cc]
CVE-2018-11033: fixed in 4.00
CVE-2018-16368: fixed in 4.01 [Splash.cc]
CVE-2018-16369: loop in PDF objects; will be fixed in 5.00
CVE-2018-18454: fixed in 4.01 [Stream.cc]
CVE-2018-18455: fixed in 4.01 [GfxState.cc]
CVE-2018-18456: fixed in 4.01 [Gfx.cc]
CVE-2018-18457: fixed in 4.01 [Stream.cc]
CVE-2018-18458: fixed in 4.01 [Stream.cc]
CVE-2018-18459: fixed in 4.01 [Stream.cc]
CVE-2018-18650: reporting an out-of-memory errors is the proper response
CVE-2018-18651: fixed in 4.01 [Catalog.cc]
CVE-2019-9587: loop in PDF objects; will be fixed in 5.00
CVE-2019-9588: loop in PDF objects; will be fixed in 5.00
CVE-2019-9589: fixed in 4.02 [PSOutputDev.cc]
CVE-2019-9877: fixed in 4.02 [Lexer.cc]
CVE-2019-10020 / CVE-2019-10024 / CVE-2019-10025: fixed in 4.02 [Gfx.cc]
CVE-2019-12360: fixed in 4.02 [FoFiTrueType.cc]
CVE-2019-12493: fixed in 4.02 [GfxState.cc]
CVE-2019-12515: fixed in 4.02 [Gfx.cc]
CVE-2019-12957: fixed in 4.02 [FoFiType1C.cc]
CVE-2019-12958: fixed in 4.02 [FoFiType1C.cc]
CVE-2019-13281: fixed in 4.02 [Stream.cc]
CVE-2019-13282: fixed in 4.02 [Function.cc]
CVE-2019-13283: fixed in 4.02 [FoFiType1.cc]
CVE-2019-13286: fixed in 4.02 [JBIG2Stream.cc]
CVE-2019-13287: fixed in 4.02 [Gfx.cc]
CVE-2019-13288: fixed in 4.02
CVE-2019-13289: fixed in 4.02 [JBIG2Stream.cc]
CVE-2019-13291: fixed in 4.02 [Stream.cc]
CVE-2019-14288 / CVE-2019-14289: fixed in 4.02 [JBIG2Stream.cc]
CVE-2019-14290 / CVE-2019-14291 / CVE-2019-14292 / CVE-2019-14293: fixed in 4.02 [GfxState.cc]
CVE-2019-14294: fixed in 4.02 [JPXStream.cc, JPXStream.h]
CVE-2019-15860: old bug in 2.00, no longer relevant
CVE-2019-16088: loop in PDF objects; will be fixed in 5.00
CVE-2020-25725: fixed in 4.03 [SplashOutputDev.cc]
CVE-2020-35376: fixed in 4.03 [FoFiType1C.cc]
CVE-2022-24106: fixed in 4.04 [Stream.cc]
CVE-2022-24107: fixed in 4.04 [JPXStream.cc]
CVE-2022-30524: will be fixed in 4.05 [TextOutputDev.cc]
CVE-2022-33108: loop in PDF objects; will be fixed in 5.00
CVE-2022-38171: fixed in 4.04 [JBIG2Stream.cc]
Related news
Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.
Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc.
Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readSymbolDictSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics).
XPDF v4.04 was discovered to contain a stack overflow vulnerability via the Object::Copy class of object.cc files.
There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font.
In Xpdf 4.01.01, there is a heap-based buffer over-read in the function JBIG2Stream::readTextRegionSeg() located at JBIG2Stream.cc. It can, for example, be triggered by sending a crafted PDF document to the pdftoppm tool. It might allow an attacker to cause Information Disclosure.
In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in strncpy from FoFiType1::parse in fofi/FoFiType1.cc because it does not ensure the source string has a valid length before making a fixed-length copy. It can, for example, be triggered by sending a crafted PDF document to the pdftotext tool. It allows an attacker to use a crafted pdf file to cause Denial of Service or an information leak, or possibly have unspecified other impact.