Hi, I intend to NMU this bug since xpdf is the last package which is vulnerable to this poppler bug. The attached patch fixes this issue.
It will be also archived on: http://people.debian.org/~nion/nmu-diff/xpdf-3.02-1.1_3.02-1.2.patch Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u xpdf-3.02/debian/patches/00list xpdf-3.02/debian/patches/00list
--- xpdf-3.02/debian/patches/00list
+++ xpdf-3.02/debian/patches/00list
@@ -20,2 +20,2 @@
-# Fix CVE-2007-3387
-post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch
+# Fix CVE-2007-3387 and CVE-2007-5049
+fix-CVE-2007-3387_CVE-2007-5049.dpatch
reverted:
--- xpdf-3.02/debian/patches/post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch
+++ xpdf-3.02.orig/debian/patches/post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch
@@ -1,25 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: Fix integer overflow in the StreamPredictor::StreamPredictor
-## function
-
[EMAIL PROTECTED]@
-Index: kpdf/xpdf/xpdf/Stream.cc
-===================================================================
---- kpdf/xpdf/xpdf/Stream.cc (revision 689574)
-+++ xpdf-3.02/xpdf/Stream.cc (working copy)
-@@ -411,9 +411,9 @@ StreamPredictor::StreamPredictor(Stream
-
- nVals = width * nComps;
- if (width <= 0 || nComps <= 0 || nBits <= 0 ||
-- nComps >= INT_MAX / nBits ||
-- width >= INT_MAX / nComps / nBits ||
-- nVals * nBits + 7 < 0) {
-+ nComps > gfxColorMaxComps || nBits > 16 ||
-+ width >= INT_MAX / nComps ||
-+ nVals >= (INT_MAX - 7) / nBits) {
- return;
- }
- pixBytes = (nComps * nBits + 7) >> 3;
diff -u xpdf-3.02/debian/changelog xpdf-3.02/debian/changelog
--- xpdf-3.02/debian/changelog
+++ xpdf-3.02/debian/changelog
@@ -1,3 +1,13 @@
+xpdf (3.02-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by testing security team.
+ * Removed post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch and
+ created fix-CVE-2007-3387_CVE-2007-5049.dpatch to have a fix
+ for CVE-2007-3387 and a buffer overflow in GetNextLine()
+ (CVE-2007-5049) since they are related (Closes: #443906).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Thu, 27 Sep 2007 12:05:46 +0200
+
xpdf (3.02-1.1) unstable; urgency=high
* Non-maintainer upload with permission of the maintainer
only in patch2:
unchanged:
--- xpdf-3.02.orig/debian/patches/fix-CVE-2007-3387_CVE-2007-5049.dpatch
+++ xpdf-3.02/debian/patches/fix-CVE-2007-3387_CVE-2007-5049.dpatch
@@ -0,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fix-CVE-2007-3387_CVE-2007-5049.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad xpdf-3.02~/xpdf/Stream.cc xpdf-3.02/xpdf/Stream.cc
+--- xpdf-3.02~/xpdf/Stream.cc 2007-02-27 23:05:52.000000000 +0100
++++ xpdf-3.02/xpdf/Stream.cc 2007-09-27 12:04:52.000000000 +0200
+@@ -410,15 +410,13 @@
+ ok = gFalse;
+
+ nVals = width * nComps;
+- if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+- nComps >= INT_MAX / nBits ||
+- width >= INT_MAX / nComps / nBits ||
+- nVals * nBits + 7 < 0) {
+- return;
+- }
+ pixBytes = (nComps * nBits + 7) >> 3;
+ rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+- if (rowBytes <= 0) {
++ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++ nComps > gfxColorMaxComps ||
++ nBits > 16 ||
++ width >= INT_MAX / nComps || // check for overflow in nVals
++ nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
+ return;
+ }
+ predLine = (Guchar *)gmalloc(rowBytes);
pgpxn8p61MRMI.pgp
Description: PGP signature
