Bug 441722 (CVE-2008-1693)

Summary: CVE-2008-1693 xpdf: embedded font vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andreas.bierfert, jnovy, kevin, kreilly, krh, lkundrak, rdieter, security-response-team, tcallawa, than, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-22 07:12:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 442388, 442389, 442390, 442391, 442392, 442393, 443026, 444148, 444149    
Bug Blocks:    
Attachments:
Description Flags
Patch for xpdf from Ludwig Nussel
none
Poppler type-checking patch from kees cook none

Description Tomas Hoger 2008-04-09 17:18:23 UTC 
Kees Cook of Ubuntu noticed that potential vulnerability allowing arbitrary code
execution via a corrupted PDF embedded fonts was fixed in xpdf code in xpdf 3.02
and poppler 0.6.2.

Fix is mentioned in xpdf changelog - http://www.foolabs.com/xpdf/CHANGES:

"Check for a broken/missing embedded font (this was causing xpdf to crash)."

and is available in poppler source code:

http://gitweb.freedesktop.org/?p=poppler/poppler.git;a=commitdiff;h=1a531dcfee1c6fc79a414c38cbe7327fbf9a59d8
Comment 1 Tomas Hoger 2008-04-09 17:20:47 UTC 
Created attachment 301852 [details]
Patch for xpdf from Ludwig Nussel
Comment 7 Lubomir Kundrak 2008-04-14 16:19:14 UTC 
This is affected:

xpdf         EL4 Exploitable via SplashOutputDev::updateFont
poppler      EL5 Exploitable via CairoFont::create (evince)
kdegraphics  EL4 Exploitable via SplashOutputDev::updateFont (kpdf)

Tools without graphical output (such as pdftops, from cups, teTeX) are not
vulnerable. Newer kpdf seems to use its own output device implementation.
Comment 12 Lubomir Kundrak 2008-04-15 08:49:08 UTC 
Created attachment 302425 [details]
Poppler type-checking patch from kees cook
Comment 15 Tomas Hoger 2008-04-18 06:43:14 UTC 
Plublic now, lifting embargo:

http://www.ubuntu.com/usn/usn-603-1
Comment 16 Tomas Hoger 2008-04-18 08:08:36 UTC 
Short status of Fedora packages:

- xpdf - not affected, fixed upstream version 3.02 is shipped
- poppler - not affected in F8+, fixed upstream versions 0.6.2+ are shipped
- kdegraphics/kpdf - not affected (see comment #7)
- koffice - not affected, xpdf code only used for import, not for displaying
Comment 17 Tomas Hoger 2008-04-18 08:25:51 UTC 
Ubuntu security advisory for koffice / kword http://www.ubuntu.com/usn/usn-603-2
adds patch in comment #12, which adds preventive checks, which should prevent
exploitation of similar issues in the future, that may affect kword import
filter as well.
Comment 19 Kevin Kofler 2008-04-18 10:01:30 UTC 
Okular in KDE 4 uses the system poppler, so kdegraphics in F9 definitely does 
not need a patch. For F7 and F8, I'll take Lubomir Kundrak's word that it is 
not affected.
Comment 20 Fedora Update System 2008-04-24 16:14:06 UTC 
poppler-0.5.4-9.fc7 has been submitted as an update for Fedora 7
Comment 22 Fedora Update System 2008-04-29 20:50:47 UTC 
poppler-0.5.4-9.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Red Hat Product Security 2008-05-22 07:12:12 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  xpdf:
  http://rhn.redhat.com/errata/RHSA-2008-0240.html
  poppler:
  http://rhn.redhat.com/errata/RHSA-2008-0239.html
  kdegraphics:
  http://rhn.redhat.com/errata/RHSA-2008-0238.html
  gpdf:
  http://rhn.redhat.com/errata/RHSA-2008-0262.html

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3312