Security
Headlines
HeadlinesLatestCVEs

Headline

Gentoo Linux Security Advisory 202409-25

Gentoo Linux Security Advisory 202409-25 - Multiple vulnerabilities have been found in Xpdf, the worst of which could result in denial of service. Versions greater than or equal to 4.05 are affected.

Packet Storm
#vulnerability#web#mac#linux#dos#pdf

Gentoo Linux Security Advisory GLSA 202409-25


                                       https://security.gentoo.org/  

Severity: Normal
Title: Xpdf: Multiple Vulnerabilities
Date: September 25, 2024
Bugs: #845027, #908037, #936407
ID: 202409-25


Synopsis

Multiple vulnerabilities have been found in Xpdf, the worst of which
could result in denial of service.

Background

Xpdf is an X viewer for PDF files.

Affected packages

Package Vulnerable Unaffected


app-text/xpdf < 4.05 >= 4.05

Description

Multiple vulnerabilities have been discovered in Xpdf. Please review the
CVE identifiers referenced below for details.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All Xpdf users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=app-text/xpdf-4.05”

References

[ 1 ] CVE-2018-7453
https://nvd.nist.gov/vuln/detail/CVE-2018-7453
[ 2 ] CVE-2018-16369
https://nvd.nist.gov/vuln/detail/CVE-2018-16369
[ 3 ] CVE-2022-30524
https://nvd.nist.gov/vuln/detail/CVE-2022-30524
[ 4 ] CVE-2022-30775
https://nvd.nist.gov/vuln/detail/CVE-2022-30775
[ 5 ] CVE-2022-33108
https://nvd.nist.gov/vuln/detail/CVE-2022-33108
[ 6 ] CVE-2022-36561
https://nvd.nist.gov/vuln/detail/CVE-2022-36561
[ 7 ] CVE-2022-38222
https://nvd.nist.gov/vuln/detail/CVE-2022-38222
[ 8 ] CVE-2022-38334
https://nvd.nist.gov/vuln/detail/CVE-2022-38334
[ 9 ] CVE-2022-38928
https://nvd.nist.gov/vuln/detail/CVE-2022-38928
[ 10 ] CVE-2022-41842
https://nvd.nist.gov/vuln/detail/CVE-2022-41842
[ 11 ] CVE-2022-41843
https://nvd.nist.gov/vuln/detail/CVE-2022-41843
[ 12 ] CVE-2022-41844
https://nvd.nist.gov/vuln/detail/CVE-2022-41844
[ 13 ] CVE-2022-43071
https://nvd.nist.gov/vuln/detail/CVE-2022-43071
[ 14 ] CVE-2022-43295
https://nvd.nist.gov/vuln/detail/CVE-2022-43295
[ 15 ] CVE-2022-45586
https://nvd.nist.gov/vuln/detail/CVE-2022-45586
[ 16 ] CVE-2022-45587
https://nvd.nist.gov/vuln/detail/CVE-2022-45587
[ 17 ] CVE-2023-2662
https://nvd.nist.gov/vuln/detail/CVE-2023-2662
[ 18 ] CVE-2023-2663
https://nvd.nist.gov/vuln/detail/CVE-2023-2663
[ 19 ] CVE-2023-2664
https://nvd.nist.gov/vuln/detail/CVE-2023-2664
[ 20 ] CVE-2023-3044
https://nvd.nist.gov/vuln/detail/CVE-2023-3044
[ 21 ] CVE-2023-3436
https://nvd.nist.gov/vuln/detail/CVE-2023-3436

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-25

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Related news

CVE-2023-3436: xpdf-4.04/xpdf/XRef.cc: XRef::getObjectStreamObject - forum.xpdfreader.com

Xpdf 4.04 will deadlock on a PDF object stream whose "Length" field is itself in another object stream.

CVE-2023-3044: Xpdf Security Bug: CVE-2023-3044

An excessively large PDF page size (found in fuzz testing, unlikely in normal PDF files) can result in a divide-by-zero in Xpdf's text extraction code. This is related to CVE-2022-30524, but the problem here is caused by a very large page size, rather than by a very large character coordinate.

CVE-2023-2664: A stack-overflow in xpdf4.04 - forum.xpdfreader.com

 In Xpdf 4.04 (and earlier), a PDF object loop in the embedded file tree leads to infinite recursion and a stack overflow.

CVE-2023-2662: A FPE in pdfimages xpdf4.04

In Xpdf 4.04 (and earlier), a bad color space object in the input PDF file can cause a divide-by-zero.

CVE-2022-45587: Bug Report:two stack-overflow bugs in pdftotext,Xpdf 4.04

Stack overflow vulnerability in function gmalloc in goo/gmem.cc in xpdf 4.04, allows local attackers to cause a denial of service.

CVE-2022-43071: Bug Report: pdftotext in Xpdf 4.04

A stack overflow in the Catalog::readPageLabelTree2(Object*) function of XPDF v4.04 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

CVE-2022-43295: A stack-overflow bug in pdftotext

XPDF v4.04 was discovered to contain a stack overflow via the function FileStream::copy() at xpdf/Stream.cc:795.

CVE-2022-41844: segmemtation fault at xpdf-4.04/xpdf/AcroForm.cc:538 - forum.xpdfreader.com

An issue was discovered in Xpdf 4.04. There is a crash in XRef::fetch(int, int, Object*, int) in xpdf/XRef.cc, a different vulnerability than CVE-2018-16369 and CVE-2019-16088.

CVE-2022-41842: Download Xpdf and XpdfReader

An issue was discovered in Xpdf 4.04. There is a crash in gfseek(_IO_FILE*, long, int) in goo/gfile.cc.

CVE-2022-38222: [BUG] use-after-free in pdfimages,xpdf-4.04 - forum.xpdfreader.com

There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.

CVE-2022-38928: null pointer dereference caused by no-check malloc pointer

XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.

CVE-2022-38334: stack-overflow by Xpdf4.04 - forum.xpdfreader.com

XPDF v4.04 was discovered to contain a stack overflow via the function Catalog::countPageTree() at Catalog.cc.

CVE-2022-36561: segmemtation fault at xpdf-4.04/xpdf/AcroForm.cc:538 - forum.xpdfreader.com

XPDF v4.0.4 was discovered to contain a segmentation violation via the component /xpdf/AcroForm.cc:538.

CVE-2022-24107: Xpdf Security Fixes

Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc.

CVE-2022-24107: Xpdf Security Fixes

Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc.

CVE-2022-24107: Xpdf Security Fixes

Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc.

CVE-2022-24107: Xpdf Security Fixes

Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc.

CVE-2022-33108: There seems to be a stack overflow vulnerability here, can you take a look, source code:Object::copy

XPDF v4.04 was discovered to contain a stack overflow vulnerability via the Object::Copy class of object.cc files.

CVE-2022-30775: allocator is out of memory(OOM in pdftoppm)

xpdf 4.04 allocates excessive memory when presented with crafted input. This can be triggered by (for example) sending a crafted PDF document to the pdftoppm binary. It is most easily reproduced with the DCMAKE_CXX_COMPILER=afl-clang-fast++ option.

CVE-2022-30524: Segmentation fault in xpdf-4.04/xpdf/TextOutputDev.cc:988 in TextLine::TextLine()

There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.

CVE-2022-30524: Segmentation fault in xpdf-4.04/xpdf/TextOutputDev.cc:988 in TextLine::TextLine()

There is an invalid memory access in the TextLine class in TextOutputDev.cc in Xpdf 4.0.4 because the text extractor mishandles characters at large y coordinates. It can be triggered by (for example) sending a crafted pdf file to the pdftotext binary, which allows a remote attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution