Bug 152876 - CAN-2004-0888,0889,1125, CAN-2005-0064 xpdf buffer overflows apply to gpdf
CAN-2004-0888,0889,1125, CAN-2005-0064 xpdf buffer overflows apply to gpdf
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
1, LEGACY
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-22 16:46 EST by rob
Modified: 2007-04-18 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-16 08:06:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:30:39 EST
from:
http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities&flashstatus=true

Remote exploitation of a buffer overflow vulnerability in the xpdf PDF
viewer, as included in multiple Linux distributions, could allow
attackers to execute arbitrary code as the user viewing a PDF file. The
offending code can be found in the Gfx::doImage() function in the source
file xpdf/Gfx.cc.

A patch to address this vulnerability is available from:

    ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125

see bug #2352 for the xpdf bug



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-22 18:55:48 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
here are gpdf rpms to QA for fc1:
  
- - uses xpdf 3.00 patch with last hunk removed since it did not
  apply and only fixed an error message.  and with paths changed
  for gpdf.
 
- - other vendors do not seem to have released patches for gpdf yet
  so we should take a close look at them when they do to make sure
  there are no other issues.
 
this file is available at:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2353.txt.asc
 
files:
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-0.110-1.2.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-0.110-1.2.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-debuginfo-0.110-1.2.legacy.i386.rpm
 
sha1sums:
 
fc1:
f98058348890fce497977730634d846c9fd143e2  gpdf-0.110-1.2.legacy.i386.rpm
bac028292240c8c0022790570c4ac06d6df9b319  gpdf-0.110-1.2.legacy.src.rpm
a6003ffcb945ac03926f5d8727dff1d1ee2d5d4f  gpdf-debuginfo-0.110-1.2.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFByk9gtU2XAt1OWnsRAnw/AJ9RUJaiF3yoeVzT29lQI7ZB8U/7wgCgz2za
diQJ4uuRc8oGj1hgKN7vWKc=
=Eh82
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-22 19:15:28 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
here are gpdf rpms to QA for fc1:
 
- - actually bumped the release number this time. :)
  
- - uses xpdf 3.00 patch with last hunk removed since it did not
  apply and only fixed an error message.  and with paths changed
  for gpdf.
 
- - other vendors do not seem to have released patches for gpdf yet
  so we should take a close look at them when they do to make sure
  there are no other issues.
 
this file is available at:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2353.txt.asc
 
changelog:
* Wed Dec 22 2004 Rob Myers <rob.myers@gtri.gatech.edu> 0.110-1.3.legacy
- - add patch for CAN-2004-1125 (FL #2353)
 
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-0.110-1.3.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-0.110-1.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-debuginfo-0.110-1.3.legacy.i386.rpm
 
sha1sums:
2b6c2cc768c0b92963c9e3bd926147f8ca7e5d2f  gpdf-0.110-1.3.legacy.i386.rpm
69180afbe83437629dda8ca8962c61b9b4395673  gpdf-0.110-1.3.legacy.src.rpm
7cb942cd09f03dbb6afcded7ee7b46512f871e3f  gpdf-debuginfo-0.110-1.3.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBylP+tU2XAt1OWnsRAsDdAKCoc4OySHCIVXRntHWU/Fz3q4r5UgCfY+rY
qsYOMRmyTAT//z08YWibC8M=
=NWy7
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-01-08 22:39:03 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for FC1 src.rpm:
 - original sources intact
 - spec file changes minimal
 - patches verified to come, modulo trivial diffs, from the xpdf
   bug for which I already gave a publish.

+PUBLISH

69180afbe83437629dda8ca8962c61b9b4395673  gpdf-0.110-1.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB4O1BGHbTkzxSL7QRAsgHAJ9wqcUFVxGckG8YEZEM5K18sfqhiACgrtBe
eiDoSEcRMghuIVlnuY2YCHA=
=QcTm
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-01-18 19:12:02 ----

CAN-2005-0064 probably applies here too..



------- Additional Comments From rob.myers@gtri.gatech.edu 2005-01-19 03:15:15 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
here are gpdf rpms to QA for fc1:
 
changelog:
* Wed Jan 19 2005 Rob Myers <rob.myers@gtri.gatech.edu> 0.110-1.4.legacy
- - patch for CAN-2005-0064 (FL #2353)
- - use better patch for CAN-2004-1125
 
this file is available at:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2353.txt.asc
 
files:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-0.110-1.4.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-0.110-1.4.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/gpdf-debuginfo-0.110-1.4.legacy.i386.rpm
 
sha1sums:
8f5449b2f8bf38189849d197cfcf388526b9f2c0  gpdf-0.110-1.4.legacy.i386.rpm
35a4af3cd12d0716811f8a24b6a2388e6b7a1e02  gpdf-0.110-1.4.legacy.src.rpm
7236783f25d1d09534ce092c16fc4e07c21b2408  gpdf-debuginfo-0.110-1.4.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFB7lzytU2XAt1OWnsRArZlAJwL+ltXEp70HMxHYphyxOZ50t3iVQCgvv+G
YKXRyoje23o8TdvjXPzL7vQ=
=v5W0
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-01-19 04:12:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for gpdf:
 - source integrity OK
 - patches verified to be identical to the xpdf patches
 - spec file changes good
 
+PUBLISH
 
35a4af3cd12d0716811f8a24b6a2388e6b7a1e02  gpdf-0.110-1.4.legacy.src.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFB7mrRGHbTkzxSL7QRAjjzAKCPs0P3TQXcdS5QN39CimJ24OJPEwCfVKO5
uOs4fSBFj/ArTarVvYc/bU8=
=GaeB
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-04 12:38:30 ----

Packages built and pushed to updates-testing.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-17 12:16:11 ----

Packages were released to updates.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:30 -------

This bug previously known as bug 2353 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2353
Originally filed under the Fedora Legacy product and General component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.