SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xpdf Vendors:   Glyph and Cog
Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018905
SecurityTracker URL:  http://securitytracker.com/id/1018905
CVE Reference:   CVE-2007-4033, CVE-2007-4352, CVE-2007-5392, CVE-2007-5393   (Links to External Site)
Date:  Nov 7 2007
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 3.02
Description:   Several vulnerabilities were reported in Xpdf. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted PDF file that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.

A specially crafted Type 1 font filename can trigger a flaw in the t1lib library and cause code execution [CVE-2007-4033]

Specially crafted data can trigger a memory corruption error in the DCTStream::readProgressiveDataUnit() function in 'xpdf/Stream.cc' [CVE-2007-4352].

Specially crafted data can trigger an integer overflow in the DCTStream::reset() function in 'xpdf/Stream.cc' [CVE-2007-5392].

A specially crafted CCITTFaxDecode filter can trigger a heap overflow in the CCITTFaxStream::lookChar() function in 'xpdf/Stream.cc' [CVE-2007-5393].

The vendor was notified on October 17, 2007.

Alin Rad Pop of Secunia Research reported three of these vulnerabilities. r0ut3r discovered one of these vulnerabilities.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.foolabs.com/xpdf/ (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:   Linux (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 7 2007 (Red Hat Issues Fix) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 3.
Nov 7 2007 (Red Hat Issues Fix) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4.
Nov 8 2007 (Red Hat Issues Fix for CUPS) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for CUPS on Red Hat Enterprise Linux 5.
Nov 8 2007 (Red Hat Issues Fix) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.
Nov 8 2007 (KDE Issues Fix for kpdf) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code
KDE has issued a fix for KDE and KOffice.
Nov 8 2007 (Red Hat Issues Fix for gpdf) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for gpdf on Red Hat Enterprise Linux 4.
Nov 8 2007 (Red Hat Issues Fix for poppler) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for poppler on Red Hat Enterprise Linux 5.
Nov 8 2007 (Red Hat Issues Fix for tetex) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for tetex on Red Hat Enterprise Linux 4 and 5.
Nov 8 2007 (Red Hat Issues Fix for tetex) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for tetex on Red Hat Enterprise Linux 2.1 and 3.
Nov 12 2007 (Red Hat Issues Fix for kdegraphics) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for kdegraphics for Red Hat Enterprise Linux 4.
Nov 12 2007 (Red Hat Issues Fix for kdegraphics) Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for kdegraphics on Red Hat Enterprise Linux 5.



 Source Message Contents

Date:  Wed, 07 Nov 2007 16:42:22 +0100
Subject:  Secunia Research: Xpdf "Stream.cc" Multiple Vulnerabilities

====================================================================== 

                     Secunia Research 07/11/2007

             - Xpdf "Stream.cc" Multiple Vulnerabilities -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* Xpdf 3.02 with xpdf-3.02pl1.patch.

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Highly critical
Impact: System access
Where:  Remote

====================================================================== 
3) Vendor's Description of Software 

"Xpdf is an open source viewer for Portable Document Format (PDF)
files. (These are also sometimes also called 'Acrobat' files, from the
name of Adobe's PDF software.) The Xpdf project also includes a PDF
text extractor, PDF-to-PostScript converter, and various other
utilities.".

Product Link:
http://www.foolabs.com/xpdf/

====================================================================== 
4) Description of Vulnerabilities

Secunia Research has discovered some vulnerabilities in Xpdf, which can
be exploited by malicious people to compromise a user's system.

1) An array indexing error within the
"DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc can be
exploited to corrupt memory via a specially crafted PDF file.

2) An integer overflow error within the "DCTStream::reset()" method in
xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow
via a specially crafted PDF file.

3) A boundary error within the "CCITTFaxStream::lookChar()" method in
xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow
by tricking a user into opening a PDF file containing a specially
crafted "CCITTFaxDecode" filter.

Successful exploitation may allow execution of arbitrary code.

====================================================================== 
5) Solution 

Do not open untrusted PDF files.

The vendor is reportedly working on a patch.

====================================================================== 
6) Time Table 

17/10/2007 - Vendor notified.
22/10/2007 - vendor-sec notified.
19/10/2007 - Vendor response.
07/11/2007 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Alin Rad Pop, Secunia Research.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following CVE identifiers:
* CVE-2007-4352 ("DCTStream::readProgressiveDataUnit()")
* CVE-2007-5392 ("DCTStream::reset()")
* CVE-2007-5393 ("CCITTFaxStream::lookChar()")

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/ 

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-88/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC