SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   teTeX Vendors:   Esser, Thomas
(Mandrake Issues Fix for tetex) Xpdf Integer Overflows in indexHigh and pageSize May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012740
SecurityTracker URL:  http://securitytracker.com/id/1012740
CVE Reference:   CVE-2004-0888, CVE-2004-0889, CVE-2005-0206   (Links to External Site)
Date:  Dec 31 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Some integer overflows were reported in Xpdf. A remote user may be able to execute arbitrary code on a target user's system. Tetex is affected.

Several vendors reported that there are integer overflows in Xpdf. A remote user can create a specially crafted PDF file that, when viewed by the target user, may execute arbitrary code.

The flaws reside in 'pdftops/Catalog.cc' and 'pdftops/XRef.cc'. A specially crafted Index color size (indexHigh) or Page size can trigger the overflow.

Chris Evans is credited with discovering these flaws.

CUPS, the Common UNIX Printing System, is also affected because it includes Xpdf.

Impact:   A remote user may be able to execute arbitrary code on a target user's system when the target user loads a malformed PDF file.
Solution:   Mandrake has released a fix.

Mandrakelinux 10.0:
c75d7af8ac2efc11d6fdc0df6809304d 10.0/RPMS/jadetex-3.12-93.1.100mdk.i586.rpm
a38628da7c17a028cdec59064f842b9e 10.0/RPMS/tetex-2.0.2-14.1.100mdk.i586.rpm
39b6affec6f818446309590bfaff7002 10.0/RPMS/tetex-afm-2.0.2-14.1.100mdk.i586.rpm
eb1f62b9fb1306018f466537a52ebd08 10.0/RPMS/tetex-context-2.0.2-14.1.100mdk.i586.rpm
9fecc8b2559fbd0cacd8883471060ec7 10.0/RPMS/tetex-devel-2.0.2-14.1.100mdk.i586.rpm
3d9a926734a4c4693da46e94d96e367b 10.0/RPMS/tetex-doc-2.0.2-14.1.100mdk.i586.rpm
f9cb43a4c44048d8f52359da684bec30 10.0/RPMS/tetex-dvilj-2.0.2-14.1.100mdk.i586.rpm
be176389f8d2e1edbc935b3aaf489f50 10.0/RPMS/tetex-dvipdfm-2.0.2-14.1.100mdk.i586.rpm
fffe1cb5015310963d60d7881097bda9 10.0/RPMS/tetex-dvips-2.0.2-14.1.100mdk.i586.rpm
724424998639f66d0be41f27af7978e5 10.0/RPMS/tetex-latex-2.0.2-14.1.100mdk.i586.rpm
ebde42e85a62ab73f7fdf2af4e0e49ce 10.0/RPMS/tetex-mfwin-2.0.2-14.1.100mdk.i586.rpm
e2eca42c115c5540e26ca702b074bf70 10.0/RPMS/tetex-texi2html-2.0.2-14.1.100mdk.i586.rpm
19529166e556b87854401791f567f686 10.0/RPMS/tetex-xdvi-2.0.2-14.1.100mdk.i586.rpm
38ebef2194ed1c8950364bd1af24eb56 10.0/RPMS/xmltex-1.9-41.1.100mdk.i586.rpm
637514fe15251ebb39b6d5ec65514b83 10.0/SRPMS/tetex-2.0.2-14.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
a741143c6f70869701db3682f618e35b amd64/10.0/RPMS/jadetex-3.12-93.1.100mdk.amd64.rpm
6c2504e7a92f17b132bfe709ebf5a25d amd64/10.0/RPMS/tetex-2.0.2-14.1.100mdk.amd64.rpm
b24f02a98b1d3f04881f12d692323a95 amd64/10.0/RPMS/tetex-afm-2.0.2-14.1.100mdk.amd64.rpm
23031051edd62f7b59b33335d1c8846f amd64/10.0/RPMS/tetex-context-2.0.2-14.1.100mdk.amd64.rpm
a19d8eaf80260fdfb701634cdcf8bf34 amd64/10.0/RPMS/tetex-devel-2.0.2-14.1.100mdk.amd64.rpm
8eae31a5c2f2430fdf7a6f07318465aa amd64/10.0/RPMS/tetex-doc-2.0.2-14.1.100mdk.amd64.rpm
dc91e4c7222a2078c61850972020c19b amd64/10.0/RPMS/tetex-dvilj-2.0.2-14.1.100mdk.amd64.rpm
a7200a22447c42371c23ff5ee586df2c amd64/10.0/RPMS/tetex-dvipdfm-2.0.2-14.1.100mdk.amd64.rpm
245d5423d50adf60a9d05c3bc0868122 amd64/10.0/RPMS/tetex-dvips-2.0.2-14.1.100mdk.amd64.rpm
3a0369fc158cfe813e97feff9c64ddd0 amd64/10.0/RPMS/tetex-latex-2.0.2-14.1.100mdk.amd64.rpm
ada985d1330877120cff9f907d30c265 amd64/10.0/RPMS/tetex-mfwin-2.0.2-14.1.100mdk.amd64.rpm
d8604cec79664570994cbba838fbda87 amd64/10.0/RPMS/tetex-texi2html-2.0.2-14.1.100mdk.amd64.rpm
886d233a3b4ce5246f57843a7e13fd88 amd64/10.0/RPMS/tetex-xdvi-2.0.2-14.1.100mdk.amd64.rpm
fec3aaa15684f4cefb08c150b4dc3e40 amd64/10.0/RPMS/xmltex-1.9-41.1.100mdk.amd64.rpm
637514fe15251ebb39b6d5ec65514b83 amd64/10.0/SRPMS/tetex-2.0.2-14.1.100mdk.src.rpm

Mandrakelinux 10.1:
c018bb4c0dd71bc00e30d9bf8f9355ac 10.1/RPMS/jadetex-3.12-98.1.101mdk.i586.rpm
8766ee73c6f53ea2a7c73065d0737e6a 10.1/RPMS/tetex-2.0.2-19.1.101mdk.i586.rpm
0f8b27c62be9dffbd24aafefaa91ae14 10.1/RPMS/tetex-afm-2.0.2-19.1.101mdk.i586.rpm
fe4e007ba5d1a2ff5582b8f3ac37f107 10.1/RPMS/tetex-context-2.0.2-19.1.101mdk.i586.rpm
b51e30366aa2d0f6705cd9f47b4cc8eb 10.1/RPMS/tetex-devel-2.0.2-19.1.101mdk.i586.rpm
bfd9a1fae367b94f84bddc47a664f145 10.1/RPMS/tetex-doc-2.0.2-19.1.101mdk.i586.rpm
2006a5e5a0ab239aabc72ec1cc317ba8 10.1/RPMS/tetex-dvilj-2.0.2-19.1.101mdk.i586.rpm
13a8fbae47c079bf25ae14fc00a04eff 10.1/RPMS/tetex-dvipdfm-2.0.2-19.1.101mdk.i586.rpm
0b940e4b1a5dcb9a4319603ae7c2e60c 10.1/RPMS/tetex-dvips-2.0.2-19.1.101mdk.i586.rpm
93a9e10c4481d4849fbd34b5603e732a 10.1/RPMS/tetex-latex-2.0.2-19.1.101mdk.i586.rpm
64c8858d00ca93aa0bd56e46ff760705 10.1/RPMS/tetex-mfwin-2.0.2-19.1.101mdk.i586.rpm
0c6e7741dd217fe289f938ffde385b89 10.1/RPMS/tetex-texi2html-2.0.2-19.1.101mdk.i586.rpm
2d59aa6f98604f55336a62c22abbe3dc 10.1/RPMS/tetex-xdvi-2.0.2-19.1.101mdk.i586.rpm
b57e279bbb4ed20851c75ff00e8251ed 10.1/RPMS/xmltex-1.9-46.1.101mdk.i586.rpm
026aa0fa94c518da4f3659364bee2891 10.1/SRPMS/tetex-2.0.2-19.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
c570889cca89def0d7495fae7cbb4397 x86_64/10.1/RPMS/jadetex-3.12-98.1.101mdk.x86_64.rpm
79c2039c46a7a0b9e12e49d58446a050 x86_64/10.1/RPMS/tetex-2.0.2-19.1.101mdk.x86_64.rpm
c88b323db95603cf2df6e4f9bda9a502 x86_64/10.1/RPMS/tetex-afm-2.0.2-19.1.101mdk.x86_64.rpm
482670da1f161fd0eed8da70d1ae2dad x86_64/10.1/RPMS/tetex-context-2.0.2-19.1.101mdk.x86_64.rpm
64977b808c06865f42836c10a2383b41 x86_64/10.1/RPMS/tetex-devel-2.0.2-19.1.101mdk.x86_64.rpm
1f47fea865ec6e17ec67e110dee27942 x86_64/10.1/RPMS/tetex-doc-2.0.2-19.1.101mdk.x86_64.rpm
b65a9afac21bba71f0c92e45b2de86b7 x86_64/10.1/RPMS/tetex-dvilj-2.0.2-19.1.101mdk.x86_64.rpm
ac830cecbb2f9bb08a6f21bd63182cae x86_64/10.1/RPMS/tetex-dvipdfm-2.0.2-19.1.101mdk.x86_64.rpm
53896fe3fb471adb5d79b8fa1b5155ff x86_64/10.1/RPMS/tetex-dvips-2.0.2-19.1.101mdk.x86_64.rpm
c9074ea704ed1677cdbd496279ee14aa x86_64/10.1/RPMS/tetex-latex-2.0.2-19.1.101mdk.x86_64.rpm
bf5c86b54feb8d667150b926a60d2bbf x86_64/10.1/RPMS/tetex-mfwin-2.0.2-19.1.101mdk.x86_64.rpm
51598825f27f549b4e2d0d8b748532a5 x86_64/10.1/RPMS/tetex-texi2html-2.0.2-19.1.101mdk.x86_64.rpm
05e68143337cfdd882012b1950ae7c53 x86_64/10.1/RPMS/tetex-xdvi-2.0.2-19.1.101mdk.x86_64.rpm
d4a3f7a1a21c333b97cb117cf8f69194 x86_64/10.1/RPMS/xmltex-1.9-46.1.101mdk.x86_64.rpm
026aa0fa94c518da4f3659364bee2891 x86_64/10.1/SRPMS/tetex-2.0.2-19.1.101mdk.src.rpm

Vendor URL:  www.tug.org/teTeX/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Mandriva/Mandrake)
Underlying OS Comments:  10.0, 10.1

Message History:   This archive entry is a follow-up to the message listed below.
Oct 21 2004 Xpdf Integer Overflows in indexHigh and pageSize May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [Security Announce] MDKSA-2004:166 - Updated tetex packages fix


This is a multi-part message in MIME format...

------------=_1104384276-1122-7549

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           tetex
 Advisory ID:            MDKSA-2004:166
 Date:                   December 29th, 2004

 Affected versions:	 10.0, 10.1
 ______________________________________________________________________

 Problem Description:

 Chris Evans discovered numerous vulnerabilities in the xpdf package,
 which also effect software using embedded xpdf code, such as tetex
 (CAN-2004-0888).
 
 Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0.
 Also programs like tetex which have embedded versions of xpdf.
 These can result in writing an arbitrary byte to an attacker controlled
 location which probably could lead to arbitrary code execution. 
 
 iDefense also reported a buffer overflow vulnerability, which affects 
 versions of xpdf <= xpdf-3.0 and several programs, like tetex, which use
 embedded xpdf code. An attacker could construct a malicious payload file
 which could enable arbitrary code execution on the target system
 (CAN-2004-1125).
 
 The updated packages are patched to protect against these
 vulnerabilities.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0888
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 c75d7af8ac2efc11d6fdc0df6809304d  10.0/RPMS/jadetex-3.12-93.1.100mdk.i586.rpm
 a38628da7c17a028cdec59064f842b9e  10.0/RPMS/tetex-2.0.2-14.1.100mdk.i586.rpm
 39b6affec6f818446309590bfaff7002  10.0/RPMS/tetex-afm-2.0.2-14.1.100mdk.i586.rpm
 eb1f62b9fb1306018f466537a52ebd08  10.0/RPMS/tetex-context-2.0.2-14.1.100mdk.i586.rpm
 9fecc8b2559fbd0cacd8883471060ec7  10.0/RPMS/tetex-devel-2.0.2-14.1.100mdk.i586.rpm
 3d9a926734a4c4693da46e94d96e367b  10.0/RPMS/tetex-doc-2.0.2-14.1.100mdk.i586.rpm
 f9cb43a4c44048d8f52359da684bec30  10.0/RPMS/tetex-dvilj-2.0.2-14.1.100mdk.i586.rpm
 be176389f8d2e1edbc935b3aaf489f50  10.0/RPMS/tetex-dvipdfm-2.0.2-14.1.100mdk.i586.rpm
 fffe1cb5015310963d60d7881097bda9  10.0/RPMS/tetex-dvips-2.0.2-14.1.100mdk.i586.rpm
 724424998639f66d0be41f27af7978e5  10.0/RPMS/tetex-latex-2.0.2-14.1.100mdk.i586.rpm
 ebde42e85a62ab73f7fdf2af4e0e49ce  10.0/RPMS/tetex-mfwin-2.0.2-14.1.100mdk.i586.rpm
 e2eca42c115c5540e26ca702b074bf70  10.0/RPMS/tetex-texi2html-2.0.2-14.1.100mdk.i586.rpm
 19529166e556b87854401791f567f686  10.0/RPMS/tetex-xdvi-2.0.2-14.1.100mdk.i586.rpm
 38ebef2194ed1c8950364bd1af24eb56  10.0/RPMS/xmltex-1.9-41.1.100mdk.i586.rpm
 637514fe15251ebb39b6d5ec65514b83  10.0/SRPMS/tetex-2.0.2-14.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 a741143c6f70869701db3682f618e35b  amd64/10.0/RPMS/jadetex-3.12-93.1.100mdk.amd64.rpm
 6c2504e7a92f17b132bfe709ebf5a25d  amd64/10.0/RPMS/tetex-2.0.2-14.1.100mdk.amd64.rpm
 b24f02a98b1d3f04881f12d692323a95  amd64/10.0/RPMS/tetex-afm-2.0.2-14.1.100mdk.amd64.rpm
 23031051edd62f7b59b33335d1c8846f  amd64/10.0/RPMS/tetex-context-2.0.2-14.1.100mdk.amd64.rpm
 a19d8eaf80260fdfb701634cdcf8bf34  amd64/10.0/RPMS/tetex-devel-2.0.2-14.1.100mdk.amd64.rpm
 8eae31a5c2f2430fdf7a6f07318465aa  amd64/10.0/RPMS/tetex-doc-2.0.2-14.1.100mdk.amd64.rpm
 dc91e4c7222a2078c61850972020c19b  amd64/10.0/RPMS/tetex-dvilj-2.0.2-14.1.100mdk.amd64.rpm
 a7200a22447c42371c23ff5ee586df2c  amd64/10.0/RPMS/tetex-dvipdfm-2.0.2-14.1.100mdk.amd64.rpm
 245d5423d50adf60a9d05c3bc0868122  amd64/10.0/RPMS/tetex-dvips-2.0.2-14.1.100mdk.amd64.rpm
 3a0369fc158cfe813e97feff9c64ddd0  amd64/10.0/RPMS/tetex-latex-2.0.2-14.1.100mdk.amd64.rpm
 ada985d1330877120cff9f907d30c265  amd64/10.0/RPMS/tetex-mfwin-2.0.2-14.1.100mdk.amd64.rpm
 d8604cec79664570994cbba838fbda87  amd64/10.0/RPMS/tetex-texi2html-2.0.2-14.1.100mdk.amd64.rpm
 886d233a3b4ce5246f57843a7e13fd88  amd64/10.0/RPMS/tetex-xdvi-2.0.2-14.1.100mdk.amd64.rpm
 fec3aaa15684f4cefb08c150b4dc3e40  amd64/10.0/RPMS/xmltex-1.9-41.1.100mdk.amd64.rpm
 637514fe15251ebb39b6d5ec65514b83  amd64/10.0/SRPMS/tetex-2.0.2-14.1.100mdk.src.rpm

 Mandrakelinux 10.1:
 c018bb4c0dd71bc00e30d9bf8f9355ac  10.1/RPMS/jadetex-3.12-98.1.101mdk.i586.rpm
 8766ee73c6f53ea2a7c73065d0737e6a  10.1/RPMS/tetex-2.0.2-19.1.101mdk.i586.rpm
 0f8b27c62be9dffbd24aafefaa91ae14  10.1/RPMS/tetex-afm-2.0.2-19.1.101mdk.i586.rpm
 fe4e007ba5d1a2ff5582b8f3ac37f107  10.1/RPMS/tetex-context-2.0.2-19.1.101mdk.i586.rpm
 b51e30366aa2d0f6705cd9f47b4cc8eb  10.1/RPMS/tetex-devel-2.0.2-19.1.101mdk.i586.rpm
 bfd9a1fae367b94f84bddc47a664f145  10.1/RPMS/tetex-doc-2.0.2-19.1.101mdk.i586.rpm
 2006a5e5a0ab239aabc72ec1cc317ba8  10.1/RPMS/tetex-dvilj-2.0.2-19.1.101mdk.i586.rpm
 13a8fbae47c079bf25ae14fc00a04eff  10.1/RPMS/tetex-dvipdfm-2.0.2-19.1.101mdk.i586.rpm
 0b940e4b1a5dcb9a4319603ae7c2e60c  10.1/RPMS/tetex-dvips-2.0.2-19.1.101mdk.i586.rpm
 93a9e10c4481d4849fbd34b5603e732a  10.1/RPMS/tetex-latex-2.0.2-19.1.101mdk.i586.rpm
 64c8858d00ca93aa0bd56e46ff760705  10.1/RPMS/tetex-mfwin-2.0.2-19.1.101mdk.i586.rpm
 0c6e7741dd217fe289f938ffde385b89  10.1/RPMS/tetex-texi2html-2.0.2-19.1.101mdk.i586.rpm
 2d59aa6f98604f55336a62c22abbe3dc  10.1/RPMS/tetex-xdvi-2.0.2-19.1.101mdk.i586.rpm
 b57e279bbb4ed20851c75ff00e8251ed  10.1/RPMS/xmltex-1.9-46.1.101mdk.i586.rpm
 026aa0fa94c518da4f3659364bee2891  10.1/SRPMS/tetex-2.0.2-19.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 c570889cca89def0d7495fae7cbb4397  x86_64/10.1/RPMS/jadetex-3.12-98.1.101mdk.x86_64.rpm
 79c2039c46a7a0b9e12e49d58446a050  x86_64/10.1/RPMS/tetex-2.0.2-19.1.101mdk.x86_64.rpm
 c88b323db95603cf2df6e4f9bda9a502  x86_64/10.1/RPMS/tetex-afm-2.0.2-19.1.101mdk.x86_64.rpm
 482670da1f161fd0eed8da70d1ae2dad  x86_64/10.1/RPMS/tetex-context-2.0.2-19.1.101mdk.x86_64.rpm
 64977b808c06865f42836c10a2383b41  x86_64/10.1/RPMS/tetex-devel-2.0.2-19.1.101mdk.x86_64.rpm
 1f47fea865ec6e17ec67e110dee27942  x86_64/10.1/RPMS/tetex-doc-2.0.2-19.1.101mdk.x86_64.rpm
 b65a9afac21bba71f0c92e45b2de86b7  x86_64/10.1/RPMS/tetex-dvilj-2.0.2-19.1.101mdk.x86_64.rpm
 ac830cecbb2f9bb08a6f21bd63182cae  x86_64/10.1/RPMS/tetex-dvipdfm-2.0.2-19.1.101mdk.x86_64.rpm
 53896fe3fb471adb5d79b8fa1b5155ff  x86_64/10.1/RPMS/tetex-dvips-2.0.2-19.1.101mdk.x86_64.rpm
 c9074ea704ed1677cdbd496279ee14aa  x86_64/10.1/RPMS/tetex-latex-2.0.2-19.1.101mdk.x86_64.rpm
 bf5c86b54feb8d667150b926a60d2bbf  x86_64/10.1/RPMS/tetex-mfwin-2.0.2-19.1.101mdk.x86_64.rpm
 51598825f27f549b4e2d0d8b748532a5  x86_64/10.1/RPMS/tetex-texi2html-2.0.2-19.1.101mdk.x86_64.rpm
 05e68143337cfdd882012b1950ae7c53  x86_64/10.1/RPMS/tetex-xdvi-2.0.2-19.1.101mdk.x86_64.rpm
 d4a3f7a1a21c333b97cb117cf8f69194  x86_64/10.1/RPMS/xmltex-1.9-46.1.101mdk.x86_64.rpm
 026aa0fa94c518da4f3659364bee2891  x86_64/10.1/SRPMS/tetex-2.0.2-19.1.101mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB04IjmqjQ0CJFipgRAnLEAKC/lfie9g5e2HZGprNrOZ1pi0lJgwCePMX/
ZXvynzlNfLqzeWIL6cXFEPI=
=B+Xl
-----END PGP SIGNATURE-----


------------=_1104384276-1122-7549
Content-Type: text/plain; name="message.footer"
Content-Disposition: inline; filename="message.footer"
Content-Transfer-Encoding: 8bit

____________________________________________________
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________

------------=_1104384276-1122-7549--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC