tags 334454 + patch pending confirmed upstream
stop
BTW, this is Debian bug #334454. Forwarding my earlier mail to the
bug. Please keep it in copy.
--
Loïc Minier <[EMAIL PROTECTED]>
--- Begin Message ---
Hi,
DSA 982-1 was announced without any CVE id.
I went through the 2005 and 2006 CVEs for gpdf and found this:
unstable stable
CAN-2005-2097 VULNERABLE VULNERABLE
CVE-2005-3191 2.10.0-2 2.8.2-1.2sarge2
CVE-2005-3192 2.10.0-2 2.8.2-1.2sarge2
CVE-2005-3624 2.10.0-2 2.8.2-1.2sarge2
CVE-2005-3625 2.10.0-2 2.8.2-1.2sarge2
CVE-2005-3626 2.10.0-2 2.8.2-1.2sarge2
CVE-2005-3627 2.10.0-2 2.8.2-1.2sarge2
CVE-2005-3628 2.10.0-2 2.8.2-1.2sarge2
CVE-2006-0301 2.10.0-3 2.8.2-1.2sarge3
??? ??? 2.8.2-1.2sarge4
But I have no guarantee that I do not miss any additional vulns that
were not attached to a CVE id in previous DSAs.
I need your help to:
1) find out the CVEs of 2.8.2-1.2sarge4 (please allocate CVE ids or
tell me which CVE ids are concerned by the fix in case I need to fix
the unstable package again); it seems this might have been fixed in
unstable with 2.10.0-3, but I can't tell for sure (perhaps you can?)
2) check the attached fix CAN-2005-2097 in stable; you seem to have
fixed this for:
kdegraphics 3.3.2-2sarge1 DSA-780-1
libextractor 0.4.2-2sarge2 DSA-936
xpdf and tetex-bin were not affected in stable
I've found only the second of the two hunks of the attached
"post-3.4.1-kdegraphics-4.diff" in gpdf 2.8.2-1.2sarge4, and it was
vulnerable.
I attach the proposed fix for stable, addressing CAN-2005-2097 in gpdf
2.8.2-1.2sarge4 (and making it gpdf 2.8.2-1.2sarge5), as
gpdf_2.8.2-1.2sarge5.diff.
If you agree with the fix, I'll apply the same fix to gpdf 2.10.0-3.
(post-3.4.1-kdegraphics-4.diff is the only patch I've found for
CAN-2005-2097, it might be incomplete, please let me know if you know
of something better.)
Bye,
--
Loïc Minier <[EMAIL PROTECTED]>
diff -u gpdf-2.8.2/debian/changelog gpdf-2.8.2/debian/changelog
--- gpdf-2.8.2/debian/changelog
+++ gpdf-2.8.2/debian/changelog
@@ -1,3 +1,9 @@
+gpdf (2.8.2-1.2sarge5) stable-security; urgency=low
+
+ * Backported fix for CAN-2005-2097.
+
+ -- Loic Minier <[EMAIL PROTECTED]> Sat, 29 Jul 2006 16:54:48 +0200
+
gpdf (2.8.2-1.2sarge4) stable-security; urgency=high
* Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- gpdf-2.8.2.orig/fofi/FoFiTrueType.cc
+++ gpdf-2.8.2/fofi/FoFiTrueType.cc
@@ -1343,6 +1343,26 @@
return;
}
+ // make sure the loca table is sane (correct length and entries are
+ // in bounds)
+ i = seekTable("loca");
+ if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+ parsedOk = gFalse;
+ return;
+ }
+ for (j = 0; j <= nGlyphs; ++j) {
+ if (locaFmt) {
+ pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+ } else {
+ pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+ }
+ if (pos < 0 || pos > len) {
+ parsedOk = gFalse;
+ }
+ }
+ if (!parsedOk) {
+ return;
+
// read the post table
readPostTable();
if (!parsedOk) {
Index: kpdf/xpdf/xpdf/SplashOutputDev.cc
===================================================================
--- kpdf/xpdf/xpdf/SplashOutputDev.cc (revision 439200)
+++ kpdf/xpdf/xpdf/SplashOutputDev.cc (working copy)
@@ -621,16 +621,19 @@
}
break;
case fontTrueType:
- if (!(ff = FoFiTrueType::load(fileName->getCString()))) {
- goto err2;
+ if ((ff = FoFiTrueType::load(fileName->getCString()))) {
+ codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+ n = 256;
+ delete ff;
+ } else {
+ codeToGID = NULL;
+ n = 0;
}
- codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
- delete ff;
if (!(fontFile = fontEngine->loadTrueTypeFont(
id,
fileName->getCString(),
fileName == tmpFileName,
- codeToGID, 256))) {
+ codeToGID, n))) {
error(-1, "Couldn't create a font for '%s'",
gfxFont->getName() ? gfxFont->getName()->getCString()
: "(unnamed)");
Index: kpdf/xpdf/fofi/FoFiTrueType.cc
===================================================================
--- kpdf/xpdf/fofi/FoFiTrueType.cc (revision 439200)
+++ kpdf/xpdf/fofi/FoFiTrueType.cc (working copy)
@@ -1343,6 +1343,27 @@
return;
}
+ // make sure the loca table is sane (correct length and entries are
+ // in bounds)
+ i = seekTable("loca");
+ if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+ parsedOk = gFalse;
+ return;
+ }
+ for (j = 0; j <= nGlyphs; ++j) {
+ if (locaFmt) {
+ pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+ } else {
+ pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+ }
+ if (pos < 0 || pos > len) {
+ parsedOk = gFalse;
+ }
+ }
+ if (!parsedOk) {
+ return;
+ }
+
// read the post table
readPostTable();
if (!parsedOk) {
--- End Message ---