Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 441722 - (CVE-2008-1693) CVE-2008-1693 xpdf: embedded font vulnerability
CVE-2008-1693 xpdf: embedded font vulnerability
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
: 442375 (view as bug list)
Depends On: 442388 442389 442390 442391 442392 442393 443026 444148 444149
  Show dependency treegraph
Reported: 2008-04-09 13:18 EDT by Tomas Hoger
Modified: 2009-10-14 09:51 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-22 03:12:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for xpdf from Ludwig Nussel (604 bytes, patch)
2008-04-09 13:20 EDT, Tomas Hoger
no flags Details | Diff
Poppler type-checking patch from kees cook (4.71 KB, patch)
2008-04-15 04:49 EDT, Lubomir Kundrak
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0238 normal SHIPPED_LIVE Important: kdegraphics security update 2008-04-17 08:32:02 EDT
Red Hat Product Errata RHSA-2008:0239 normal SHIPPED_LIVE Important: poppler security update 2008-04-16 07:06:13 EDT
Red Hat Product Errata RHSA-2008:0240 normal SHIPPED_LIVE Important: xpdf security update 2008-04-17 08:31:15 EDT
Red Hat Product Errata RHSA-2008:0262 normal SHIPPED_LIVE Important: gpdf security update 2008-05-08 05:17:58 EDT

  None (edit)
Description Tomas Hoger 2008-04-09 13:18:23 EDT
Kees Cook of Ubuntu noticed that potential vulnerability allowing arbitrary code
execution via a corrupted PDF embedded fonts was fixed in xpdf code in xpdf 3.02
and poppler 0.6.2.

Fix is mentioned in xpdf changelog - http://www.foolabs.com/xpdf/CHANGES:

"Check for a broken/missing embedded font (this was causing xpdf to crash)."

and is available in poppler source code:

Comment 1 Tomas Hoger 2008-04-09 13:20:47 EDT
Created attachment 301852 [details]
Patch for xpdf from Ludwig Nussel
Comment 7 Lubomir Kundrak 2008-04-14 12:19:14 EDT
This is affected:

xpdf         EL4 Exploitable via SplashOutputDev::updateFont
poppler      EL5 Exploitable via CairoFont::create (evince)
kdegraphics  EL4 Exploitable via SplashOutputDev::updateFont (kpdf)

Tools without graphical output (such as pdftops, from cups, teTeX) are not
vulnerable. Newer kpdf seems to use its own output device implementation.
Comment 12 Lubomir Kundrak 2008-04-15 04:49:08 EDT
Created attachment 302425 [details]
Poppler type-checking patch from kees cook
Comment 15 Tomas Hoger 2008-04-18 02:43:14 EDT
Plublic now, lifting embargo:

Comment 16 Tomas Hoger 2008-04-18 04:08:36 EDT
Short status of Fedora packages:

- xpdf - not affected, fixed upstream version 3.02 is shipped
- poppler - not affected in F8+, fixed upstream versions 0.6.2+ are shipped
- kdegraphics/kpdf - not affected (see comment #7)
- koffice - not affected, xpdf code only used for import, not for displaying
Comment 17 Tomas Hoger 2008-04-18 04:25:51 EDT
Ubuntu security advisory for koffice / kword http://www.ubuntu.com/usn/usn-603-2
adds patch in comment #12, which adds preventive checks, which should prevent
exploitation of similar issues in the future, that may affect kword import
filter as well.
Comment 19 Kevin Kofler 2008-04-18 06:01:30 EDT
Okular in KDE 4 uses the system poppler, so kdegraphics in F9 definitely does 
not need a patch. For F7 and F8, I'll take Lubomir Kundrak's word that it is 
not affected.
Comment 20 Fedora Update System 2008-04-24 12:14:06 EDT
poppler-0.5.4-9.fc7 has been submitted as an update for Fedora 7
Comment 22 Fedora Update System 2008-04-29 16:50:47 EDT
poppler-0.5.4-9.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.