The below issues also affect gpdf. +++ This bug was initially created as a clone of Bug #175404 +++ From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20051012 Netscape/8.0.4 Description of problem: 05.49.8 CVE: CAN-2005-3191 Platform: Linux Title: XPDF DCTStream Baseline Remote Heap Buffer Overflow Description: XPDF is an open source PDF viewer. It is reported prone to a remote buffer overflow vulnerability in the "CTStream::readBaselineSOF" function residing in the "xpdf/Stream.cc" file. This issue is reported to affect XPDF version 3.01. Applications using embedded XPDF code may be vulnerable to this issue as well. Ref: http://www.securityfocus.com/bid/15727 Version-Release number of selected component (if applicable): How reproducible: Didn't try Additional info: -- Additional comment from jpdalbec on 2005-12-09 15:55 EST -- 05.49.19 CVE: CAN-2005-3193 Platform: Cross Platform Title: XPDF Remote Heap Buffer Overflow Description: XPDF is an open source PDF viewer. It is vulnerable to a remote buffer overflow issue due to insufficient boundary check with the "JPXStream::readCodestream" function. XPDF versions 3.01 and earlier are vulnerable. Ref: http://rhn.redhat.com/errata/RHSA-2005-840.html 05.49.20 CVE: CAN-2005-3192 Platform: Cross Platform Title: XPDF StreamPredictor Remote Heap Buffer Overflow Description: XPDF is an open source PDF viewer. It is reported prone to a remote buffer overflow vulnerability due to improper boundary checks before copying user-supplied data into process buffers. It is reported that this issue presents itself in the "StreamPredictor::StreamPredictor" function residing in the "xpdf/Stream.cc" file. This issue is reported to affect XPDF versions 3.01-pl3 and earlier. Ref: http://www.idefense.com/application/poi/display?id=344&type=vulnerabilities -- Additional comment from deisenst on 2006-01-01 01:50 EST -- On 12/20/2005, Red Hat (re)issued advisory RHSA-2005:840 for this issue. http://rhn.redhat.com/errata/RHSA-2005-840.html "This update has been rated as having important security impact by the Red Hat Security Response Team." According to Josh Bressers in Bug #173888, these issues affect xpdf, kdegraphics, cups, gpdf, tetex and poppler.
On 12/20/2005, Red Hat Issued advisory RHSA-2005:867 for these issues as they affect gpdf. http://rhn.redhat.com/errata/RHSA-2005-867.html Their update was rated impportant security impact by the Red Hat Security Response Team.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA. fc1: CVE-2005-3191, CVE-2005-3192, CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627, CVE-2005-3628 fc2: CVE-2005-2097, CVE-2005-3191, CVE-2005-3192, CVE-2005-3193 CVE-2005-3624, CVE-2005-3625, CVE-2005-3626, CVE-2005-3627 CVE-2005-3628 fc3: CVE-2005-2097 53f387f9959301d801ff7586261b4ac68ca5cfb2 1/gpdf-0.110-1.5.legacy.i386.rpm 9242a66ac4721f06d32b0c1c642f776182167074 1/gpdf-0.110-1.5.legacy.src.rpm 9cb564ff5757273772fc27e653ca554587ec9b85 2/gpdf-2.8.2-4.1.1.legacy.i386.rpm 50e97b8e326e0b04812a6077a347822ad5f4ff98 2/gpdf-2.8.2-4.1.1.legacy.src.rpm a80946904b8fe349750368b75a1aa8f24a7ccdca 3/gpdf-2.8.2-7.2.1.legacy.i386.rpm 756eb8dd58bdbb63ec10745f402102e7b8c16fda 3/gpdf-2.8.2-7.2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/gpdf-0.110-1.5.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/gpdf-2.8.2-4.1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/gpdf-2.8.2-7.2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFD9+J0LMAs/0C4zNoRAv06AKDDWpmujQJUHeU9xxQSb7VWDmcuCQCgpQ16 eTOehlDEpbgQ7vt2wGDlxgY= =oe6P -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches verified to come from RHEL +PUBLISH FC1, FC2, FC3 9242a66ac4721f06d32b0c1c642f776182167074 gpdf-0.110-1.5.legacy.src.rpm 50e97b8e326e0b04812a6077a347822ad5f4ff98 gpdf-2.8.2-4.1.1.legacy.src.rpm 756eb8dd58bdbb63ec10745f402102e7b8c16fda gpdf-2.8.2-7.2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD+C/sGHbTkzxSL7QRAn9aAJ9pQElIiz+bBPceRhu0s8lOjHCGZgCg2FmT Ee2wQ9+ovuGGpO+RpkNKwoo= =7xqY -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
Timeout over.
Packages were released to updates.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Testing of gpdf for Fedora Core 1. 646edd9bdaf07a2f74d0b9874a666f94dc4f7982 gpdf-0.110-1.5.legacy.i386.rpm * Sha1sum and gpg signature okay * Installs fine. * Runs fine: displays all pdf files I threw at it. * Don't know how to test the vulnerabilities, but didn't research them very deeply either. VERIFY++ FC1 gpdf-0.110-1.5.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFEDtrYxou1V/j9XZwRAu0FAKDtuZYDR0eELroy+5dLVy7XJQQYSwCgoPZM 0uFf2dCTCR6fMZf0VxLDfNE= =F+LE -----END PGP SIGNATURE-----