Package: gpdf Severity: grave Tags: security sarge sid This problem also affects gpdf:
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064 Reference: IDEFENSE:20050118 Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflow Reference: URL:http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities Reference: CONFIRM:ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value. You'll find the patch in the source of xpdf 3.00-12 which I'm attaching. Regards, Joey -- Ten years and still binary compatible. -- XFree86 Please always Cc to me when replying to me on the lists.
diff -u xpdf-3.00/debian/changelog xpdf-3.00/debian/changelog --- xpdf-3.00/debian/changelog +++ xpdf-3.00/debian/changelog @@ -1,3 +1,12 @@ +xpdf (3.00-12) unstable; urgency=high + + * SECURITY UPDATE: Fixed buffer overflow that could overwrite the stack + and hence cause the execution of arbitrary code as reported by + iDEFENSE (xpdf/Decrypt.cc) + * References: CAN-2005-0064 + + -- Hamish Moffatt <[EMAIL PROTECTED]> Wed, 19 Jan 2005 23:48:56 +1100 + xpdf (3.00-11) unstable; urgency=high * SECURITY UPDATE: fix potential buffer overflow only in patch2: --- xpdf-3.00.orig/xpdf/Decrypt.cc +++ xpdf-3.00/xpdf/Decrypt.cc @@ -73,6 +73,11 @@ Guchar fx, fy; int len, i, j; + // check whether we have non-zero keyLength + if ( !keyLength ) { + return gFalse; + } + // try using the supplied owner password to generate the user password *ownerPasswordOk = gFalse; if (ownerPassword) { @@ -98,7 +103,7 @@ } else { memcpy(test2, ownerKey->getCString(), 32); for (i = 19; i >= 0; --i) { - for (j = 0; j < keyLength; ++j) { + for (j = 0; j < keyLength && j < 16; ++j) { tmpKey[j] = test[j] ^ i; } rc4InitKey(tmpKey, keyLength, fState); @@ -135,6 +140,11 @@ int len, i, j; GBool ok; + // check whether we have non-zero keyLength + if ( !keyLength ) { + return gFalse; + } + // generate file key buf = (Guchar *)gmalloc(68 + fileID->getLength()); if (userPassword) { @@ -172,7 +182,7 @@ } else if (encRevision == 3) { memcpy(test, userKey->getCString(), 32); for (i = 19; i >= 0; --i) { - for (j = 0; j < keyLength; ++j) { + for (j = 0; j < keyLength && j < 16; ++j) { tmpKey[j] = fileKey[j] ^ i; } rc4InitKey(tmpKey, keyLength, fState);