LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 11-20-2010, 11:27 AM   #1
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1025Reputation: 1025Reputation: 1025Reputation: 1025Reputation: 1025Reputation: 1025Reputation: 1025Reputation: 1025
XPDF Vulnerability (early October)


Back in early October there was a set of vulnerabilities for PDF related software discovered.

Quote:
CVE-2010-3702:
The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference.
Quote:
CVE-2010-3703:
The PostScriptFunction::PostScriptFunction function in poppler/Function.cc in the PDF parser in poppler 0.8.7 and possibly other versions up to 0.15.1, and possibly other products, allows context-dependent attackers to cause a denial of service (crash) via a PDF file that triggers an uninitialized pointer dereference.
Quote:
CVE-2010-3704:
The FoFiType1:arse function in fofi/FoFiType1.cc in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PDF file with a crafted Type1 font that contains a negative array index, which bypasses input validation and which triggers memory corruption.

I sent a note about these to security at slackware.com back towards the end of October when I noticed that they hadn't been updated, but I've still not seen any updates show up, though poppler has been updated to 0.14.5 in current which should be ok.

xpdf 3.02pl5 has been available since around the 20th Oct to fix this and I've been running a local build of it without issue here since it was released by upstream.

3702 & 3 don't look all that serious, but the 'arbitrary code' aspect of 3704 seems to be a cause for concern.

Did these just slip through the cracks or is there a reason they haven't been updated yet?
 
Old 11-20-2010, 07:59 PM   #2
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,211

Rep: Reputation: 293Reputation: 293Reputation: 293
Looks like xpdf and poppler patched tonight. Don't know what will happen with kdegraphics/okular/kpdf though.
 
Old 11-21-2010, 12:31 AM   #3
mlangdn
Senior Member
 
Registered: Mar 2005
Location: Kentucky
Distribution: Slackware64-current
Posts: 1,386

Rep: Reputation: 181Reputation: 181
xpdf upgraded just fine. It seems that poppler is the same package. Mine just skips it - already installed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
can not get xpdf to print walterbyrd Linux - Software 2 08-29-2007 12:53 PM
Can't find Xpdf?? crash_override_me Ubuntu 3 09-06-2005 10:28 AM
Xpdf satimis Linux - Software 3 09-04-2005 12:28 PM
xpdf error anadyr Slackware 7 01-04-2005 05:27 AM
can't compile xpdf dibblethewrecke Linux - Software 1 01-08-2004 01:15 PM


All times are GMT -5. The time now is 10:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration