Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs like gpdf which have embedded versions of xpdf. These can result in writing an arbitrary byte to an attacker controlled location which probably could lead to arbitrary code execution. See bug 2186 Ref: http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:114 ------- Additional Comments From rob.myers.edu 2004-10-28 09:42:37 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated gpdf package to QA for fc1: i had a problem with %find_lang when trying to build in mach: <snip> + /usr/lib/rpm/redhat/find-lang.sh /var/tmp/gpdf-0.110-root gpdf No translations found for gpdf in /var/tmp/gpdf-0.110-root error: Bad exit status from /var/tmp/rpm-tmp.29145 (%install) </snip> but it built fine without mach. changelog: * Thu Oct 28 2004 Rob Myers <rob.myers.edu> 0.110-1.1.legacy - - patch for CAN-2004-0888 CAN-2004-0889 (FL #2186, #2195) sha1sums: e414465e275b59bcd31f287490f0e4f2b916aae8 gpdf-0.110-1.1.legacy.i386.rpm e757228ddaf77d5702c3b3756d90714aaf11554b gpdf-0.110-1.1.legacy.src.rpm 6a6caca69d03a5db30dbaceb66e8d1a1fcf99fe0 gpdf-debuginfo-0.110-1.1.legacy.i386.rpm files: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-0.110-1.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-0.110-1.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-debuginfo-0.110-1.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBgUtztU2XAt1OWnsRAvq6AJ0btml9We7J9erFC/LsgSUiw5/bUgCg21tB VAKXmfjQhP6RMFhKDcB53eE= =mpc6 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-11-25 17:02:01 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the FC1 package: e757228ddaf77d5702c3b3756d90714aaf11554b gpdf-0.110-1.1.legacy.src.rpm - - Source files identical to previous release - - Patch file is good - - Spec file changes good - - Builds, installs and runs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFBppzHLMAs/0C4zNoRAotGAJ9Z+7deXoTRa5yURY7Xq3jZiLQTNACgl2X+ HEUnpvEgLmdrycIowGLiMsc= =phQA -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-12-01 18:23:18 ---- Packages were pushed to updates-testing. ------- Additional Comments From pekkas 2004-12-22 04:21:26 ---- Sigh.. more flaws were found in xpdf -- #2186 comment 25. ------- Additional Comments From marcdeslauriers 2004-12-22 05:35:17 ---- The new flaws should be in their own bug...these packages are already in updates-testing. ------- Additional Comments From rob.myers.edu 2004-12-22 13:19:42 ---- new bug created. see bug #2352. ------- Additional Comments From rob.myers.edu 2004-12-22 16:48:23 ---- or rather see bug #2353 ------- Additional Comments From sheltren.edu 2005-01-13 07:17:16 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Verify for package: 5f64cfd5be571ffcb49f1cf067603165decc2318 gpdf-0.110-1.2.legacy.i386.rpm Signature is OK Package installs OK Ran gpdf and successfully opened some PDF documents FC1 VERIFY++ Does this issue appear on RH9 also? I didn't see any RH9 packages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFB5qz5Ke7MLJjUbNMRAsqpAKChlbGmROYozWMRRtUeGfSH5bfghQCgwU4D vsnP24OvD0yCW4Iy45lK+6k= =P1fK -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-02-10 13:04:17 ---- Packages were officially released. ------- Bug moved to this database by dkl 2005-03-30 18:28 ------- This bug previously known as bug 2195 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2195 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.