Bug 345101 (CVE-2007-4352)

Summary: CVE-2007-4352 xpdf memory corruption in DCTStream::readProgressiveDataUnit()
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jnovy, kreilly, krh, security-response-team, than, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.5.4-8.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-13 05:19:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 356551, 356561, 356571, 356581, 356601, 356611, 356641, 356651, 356671, 356681, 356691, 356701, 356711, 356721, 356791, 356811, 356821, 372461, 372471, 372481, 372491, 372501, 372511, 372521, 372551, 372561, 372571, 372581, 372591, 372601, 372611, 372651, 372661, 372671    
Bug Blocks:    
Attachments:
Description Flags
xpdf-3.02pl2 first draft from Derek B. Noonburg addressing CVE-2007-{4352,5392,5393} none

Description Tomas Hoger 2007-10-22 12:37:39 UTC 
Alin Rad Pop of the Secunia Research discovered a vulnerability in
xpdf/Stream.cc code:

An array indexing error exists within the "DCTStream::readProgressiveDataUnit()"
method in xpdf/Stream.cc. This can be exploited to corrupt memory via a
specially crafted PDF file.
Comment 6 Tomas Hoger 2007-10-26 06:56:09 UTC 
Created attachment 238491 [details]
xpdf-3.02pl2 first draft from Derek B. Noonburg addressing CVE-2007-{4352,5392,5393}

Comments from Derek:

The fixes for the first two bugs (in DCTStream) are pretty
straightforward.

The CCITTFaxStream inner loop code has been rewritten (because I was
unhappy with the design, and it was resulting in too many problems).
Comment 26 Josh Bressers 2007-11-07 16:27:39 UTC 
This is now public:
http://marc.info/?l=full-disclosure&m=119445179723160&w=2
Comment 27 Fedora Update System 2007-11-08 06:03:33 UTC 
cups-1.3.4-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Tomas Hoger 2007-11-08 08:38:17 UTC 
KDE security advisory with official patches for kdegraphics and koffice:

http://www.kde.org/info/security/advisory-20071107-1.txt
Comment 29 Tomas Hoger 2007-11-09 10:33:38 UTC 
Official xpdf patch is available on xpdf upstream page:

http://www.foolabs.com/xpdf/download.html
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl2.patch
Comment 30 Fedora Update System 2007-11-09 23:51:51 UTC 
cups-1.2.12-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2008-02-08 08:17:24 UTC 
poppler-0.5.4-8.fc7 has been submitted as an update for Fedora 7
Comment 32 Fedora Update System 2008-02-13 05:19:45 UTC 
poppler-0.5.4-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2008-02-13 15:00:40 UTC 
poppler-0.5.4-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2008-02-13 15:09:43 UTC 
poppler-0.5.4-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 35 Red Hat Product Security 2008-02-15 15:01:19 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  cups:
    http://rhn.redhat.com/errata/RHSA-2007-1021.html
    http://rhn.redhat.com/errata/RHSA-2007-1022.html
  gpdf:
    http://rhn.redhat.com/errata/RHSA-2007-1025.html
  poppler:
    http://rhn.redhat.com/errata/RHSA-2007-1026.html
  xpdf:
    http://rhn.redhat.com/errata/RHSA-2007-1029.html
    http://rhn.redhat.com/errata/RHSA-2007-1030.html
  tetex:
    http://rhn.redhat.com/errata/RHSA-2007-1027.html
  kdegraphics:
    http://rhn.redhat.com/errata/RHSA-2007-1024.html

Fedora:
  kdegraphics:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-2985
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3001
  xpdf:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3031
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3014
  koffice:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3059
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3093
  cups:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3100
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-2982
  poppler:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2008-1651
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4031
  tetex:
    https://admin.fedoraproject.org/updates/F7/FEDORA-2007-3390
    https://admin.fedoraproject.org/updates/F8/FEDORA-2007-3308