thr3ads.net - Secure testing team - [Secure-testing-team] Bug#527449: swftools: multiple vulnerabilities in embedded copy of xpdf [May 2009]

If this information is useful, please help other people find it:
Share via:
Raphael Geissert
2009-May-07 15:37 UTC
[Secure-testing-team] Bug#527449: swftools: multiple vulnerabilities in embedded copy of xpdf

Package: swftools
Version: 0.8.1-1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for swftools.

CVE-2007-3387[0]:
| Integer overflow in the StreamPredictor::StreamPredictor function in
| xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before
| 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other
| products, might allow remote attackers to execute arbitrary code via a
| crafted PDF file that triggers a stack-based buffer overflow in the
| StreamPredictor::getNextLine function.

CVE-2007-4352[1]:
| Array index error in the DCTStream::readProgressiveDataUnit method in
| xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE,
| KOffice, CUPS, and other products, allows remote attackers to trigger
| memory corruption and execute arbitrary code via a crafted PDF file.

CVE-2007-5392[2]:
| Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in
| Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a
| crafted PDF file, resulting in a heap-based buffer overflow.

CVE-2007-5393[3]:
| Heap-based buffer overflow in the CCITTFaxStream::lookChar method in
| xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute
| arbitrary code via a PDF file that contains a crafted CCITTFaxDecode
| filter.

CVE-2009-0146[4]:
| Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and
| earlier, CUPS 1.3.9 and earlier, and other products allow remote
| attackers to cause a denial of service (crash) via a crafted PDF file,
| related to (1) JBIG2SymbolDict::setBitmap and (2)
| JBIG2Stream::readSymbolDictSeg.

CVE-2009-0147[5]:
| Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and
| earlier, CUPS 1.3.9 and earlier, and other products allow remote
| attackers to cause a denial of service (crash) via a crafted PDF file,
| related to (1) JBIG2Stream::readSymbolDictSeg, (2)
| JBIG2Stream::readSymbolDictSeg, and (3)
| JBIG2Stream::readGenericBitmap.

CVE-2009-0166[6]:
| The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
| and other products allows remote attackers to cause a denial of
| service (crash) via a crafted PDF file that triggers a free of
| uninitialized memory.

CVE-2009-0799[7]:
| The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
| Poppler before 0.10.6, and other products allows remote attackers to
| cause a denial of service (crash) via a crafted PDF file that triggers
| an out-of-bounds read.
CVE-2009-0800[8]:
| Multiple "input validation flaws" in the JBIG2 decoder in Xpdf
3.02pl2
| and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other
| products allow remote attackers to execute arbitrary code via a
| crafted PDF file.

CVE-2009-1179[9]:
| Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
| CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
| allows remote attackers to execute arbitrary code via a crafted PDF
| file.

CVE-2009-1180[10]:
| The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
| Poppler before 0.10.6, and other products allows remote attackers to
| execute arbitrary code via a crafted PDF file that triggers a free of
| invalid data.

CVE-2009-1181[11]:
| The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
| Poppler before 0.10.6, and other products allows remote attackers to
| cause a denial of service (crash) via a crafted PDF file that triggers
| a NULL pointer dereference.

CVE-2009-1182[12]:
| Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and
| earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other
| products allow remote attackers to execute arbitrary code via a
| crafted PDF file.

CVE-2009-1183[13]:
| The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and
| earlier, Poppler before 0.10.6, and other products allows remote
| attackers to cause a denial of service (infinite loop and hang) via a
| crafted PDF file.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

The patches for those vulnerabilities can be found in the following reports:
http://bugs.debian.org/524809
http://bugs.debian.org/450629
http://bugs.debian.org/435462

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
    http://security-tracker.debian.net/tracker/CVE-2007-3387
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
    http://security-tracker.debian.net/tracker/CVE-2007-4352
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
    http://security-tracker.debian.net/tracker/CVE-2007-5392
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
    http://security-tracker.debian.net/tracker/CVE-2007-5393
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
    http://security-tracker.debian.net/tracker/CVE-2009-0146
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
    http://security-tracker.debian.net/tracker/CVE-2009-0147
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
    http://security-tracker.debian.net/tracker/CVE-2009-0166
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
    http://security-tracker.debian.net/tracker/CVE-2009-0799
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
    http://security-tracker.debian.net/tracker/CVE-2009-0800
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
    http://security-tracker.debian.net/tracker/CVE-2009-1179
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
    http://security-tracker.debian.net/tracker/CVE-2009-1180
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
    http://security-tracker.debian.net/tracker/CVE-2009-1181
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
    http://security-tracker.debian.net/tracker/CVE-2009-1182
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
    http://security-tracker.debian.net/tracker/CVE-2009-1183

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090507/46aae52b/attachment.pgp>
Secure testing team - May 2009 - Bug#527449: swftools: multiple vulnerabilities in embedded copy of xpdf

[Secure-testing-team] Bug#527449: swftools: multiple vulnerabilities in embedded copy of xpdf
