Bug 441722 (CVE-2008-1693) - CVE-2008-1693 xpdf: embedded font vulnerability
Summary: CVE-2008-1693 xpdf: embedded font vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1693
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 442375 (view as bug list)
Depends On: 442388 442389 442390 442391 442392 442393 443026 444148 444149
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-09 17:18 UTC by Tomas Hoger
Modified: 2019-09-29 12:24 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-22 07:12:12 UTC
Embargoed:


Attachments (Terms of Use)
Patch for xpdf from Ludwig Nussel (604 bytes, patch)
2008-04-09 17:20 UTC, Tomas Hoger
no flags Details | Diff
Poppler type-checking patch from kees cook (4.71 KB, patch)
2008-04-15 08:49 UTC, Lubomir Kundrak
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0238 0 normal SHIPPED_LIVE Important: kdegraphics security update 2008-04-17 12:32:02 UTC
Red Hat Product Errata RHSA-2008:0239 0 normal SHIPPED_LIVE Important: poppler security update 2008-04-16 11:06:13 UTC
Red Hat Product Errata RHSA-2008:0240 0 normal SHIPPED_LIVE Important: xpdf security update 2008-04-17 12:31:15 UTC
Red Hat Product Errata RHSA-2008:0262 0 normal SHIPPED_LIVE Important: gpdf security update 2008-05-08 09:17:58 UTC

Description Tomas Hoger 2008-04-09 17:18:23 UTC
Kees Cook of Ubuntu noticed that potential vulnerability allowing arbitrary code
execution via a corrupted PDF embedded fonts was fixed in xpdf code in xpdf 3.02
and poppler 0.6.2.

Fix is mentioned in xpdf changelog - http://www.foolabs.com/xpdf/CHANGES:

"Check for a broken/missing embedded font (this was causing xpdf to crash)."

and is available in poppler source code:

http://gitweb.freedesktop.org/?p=poppler/poppler.git;a=commitdiff;h=1a531dcfee1c6fc79a414c38cbe7327fbf9a59d8

Comment 1 Tomas Hoger 2008-04-09 17:20:47 UTC
Created attachment 301852 [details]
Patch for xpdf from Ludwig Nussel

Comment 7 Lubomir Kundrak 2008-04-14 16:19:14 UTC
This is affected:

xpdf         EL4 Exploitable via SplashOutputDev::updateFont
poppler      EL5 Exploitable via CairoFont::create (evince)
kdegraphics  EL4 Exploitable via SplashOutputDev::updateFont (kpdf)

Tools without graphical output (such as pdftops, from cups, teTeX) are not
vulnerable. Newer kpdf seems to use its own output device implementation.

Comment 12 Lubomir Kundrak 2008-04-15 08:49:08 UTC
Created attachment 302425 [details]
Poppler type-checking patch from kees cook

Comment 15 Tomas Hoger 2008-04-18 06:43:14 UTC
Plublic now, lifting embargo:

http://www.ubuntu.com/usn/usn-603-1

Comment 16 Tomas Hoger 2008-04-18 08:08:36 UTC
Short status of Fedora packages:

- xpdf - not affected, fixed upstream version 3.02 is shipped
- poppler - not affected in F8+, fixed upstream versions 0.6.2+ are shipped
- kdegraphics/kpdf - not affected (see comment #7)
- koffice - not affected, xpdf code only used for import, not for displaying


Comment 17 Tomas Hoger 2008-04-18 08:25:51 UTC
Ubuntu security advisory for koffice / kword http://www.ubuntu.com/usn/usn-603-2
adds patch in comment #12, which adds preventive checks, which should prevent
exploitation of similar issues in the future, that may affect kword import
filter as well.

Comment 19 Kevin Kofler 2008-04-18 10:01:30 UTC
Okular in KDE 4 uses the system poppler, so kdegraphics in F9 definitely does 
not need a patch. For F7 and F8, I'll take Lubomir Kundrak's word that it is 
not affected.

Comment 20 Fedora Update System 2008-04-24 16:14:06 UTC
poppler-0.5.4-9.fc7 has been submitted as an update for Fedora 7

Comment 22 Fedora Update System 2008-04-29 20:50:47 UTC
poppler-0.5.4-9.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.