Hi, I intend to NMU this bug since xpdf is the last package which is vulnerable to this poppler bug. The attached patch fixes this issue.
It will be also archived on: http://people.debian.org/~nion/nmu-diff/xpdf-3.02-1.1_3.02-1.2.patch Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u xpdf-3.02/debian/patches/00list xpdf-3.02/debian/patches/00list --- xpdf-3.02/debian/patches/00list +++ xpdf-3.02/debian/patches/00list @@ -20,2 +20,2 @@ -# Fix CVE-2007-3387 -post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch +# Fix CVE-2007-3387 and CVE-2007-5049 +fix-CVE-2007-3387_CVE-2007-5049.dpatch reverted: --- xpdf-3.02/debian/patches/post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch +++ xpdf-3.02.orig/debian/patches/post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch @@ -1,25 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Fix integer overflow in the StreamPredictor::StreamPredictor -## function - [EMAIL PROTECTED]@ -Index: kpdf/xpdf/xpdf/Stream.cc -=================================================================== ---- kpdf/xpdf/xpdf/Stream.cc (revision 689574) -+++ xpdf-3.02/xpdf/Stream.cc (working copy) -@@ -411,9 +411,9 @@ StreamPredictor::StreamPredictor(Stream - - nVals = width * nComps; - if (width <= 0 || nComps <= 0 || nBits <= 0 || -- nComps >= INT_MAX / nBits || -- width >= INT_MAX / nComps / nBits || -- nVals * nBits + 7 < 0) { -+ nComps > gfxColorMaxComps || nBits > 16 || -+ width >= INT_MAX / nComps || -+ nVals >= (INT_MAX - 7) / nBits) { - return; - } - pixBytes = (nComps * nBits + 7) >> 3; diff -u xpdf-3.02/debian/changelog xpdf-3.02/debian/changelog --- xpdf-3.02/debian/changelog +++ xpdf-3.02/debian/changelog @@ -1,3 +1,13 @@ +xpdf (3.02-1.2) unstable; urgency=high + + * Non-maintainer upload by testing security team. + * Removed post-3.5.7-kdegraphics-CVE-2007-3387.diff.dpatch and + created fix-CVE-2007-3387_CVE-2007-5049.dpatch to have a fix + for CVE-2007-3387 and a buffer overflow in GetNextLine() + (CVE-2007-5049) since they are related (Closes: #443906). + + -- Nico Golde <[EMAIL PROTECTED]> Thu, 27 Sep 2007 12:05:46 +0200 + xpdf (3.02-1.1) unstable; urgency=high * Non-maintainer upload with permission of the maintainer only in patch2: unchanged: --- xpdf-3.02.orig/debian/patches/fix-CVE-2007-3387_CVE-2007-5049.dpatch +++ xpdf-3.02/debian/patches/fix-CVE-2007-3387_CVE-2007-5049.dpatch @@ -0,0 +1,31 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## fix-CVE-2007-3387_CVE-2007-5049.dpatch by Nico Golde <[EMAIL PROTECTED]> +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + [EMAIL PROTECTED]@ +diff -urNad xpdf-3.02~/xpdf/Stream.cc xpdf-3.02/xpdf/Stream.cc +--- xpdf-3.02~/xpdf/Stream.cc 2007-02-27 23:05:52.000000000 +0100 ++++ xpdf-3.02/xpdf/Stream.cc 2007-09-27 12:04:52.000000000 +0200 +@@ -410,15 +410,13 @@ + ok = gFalse; + + nVals = width * nComps; +- if (width <= 0 || nComps <= 0 || nBits <= 0 || +- nComps >= INT_MAX / nBits || +- width >= INT_MAX / nComps / nBits || +- nVals * nBits + 7 < 0) { +- return; +- } + pixBytes = (nComps * nBits + 7) >> 3; + rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; +- if (rowBytes <= 0) { ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps > gfxColorMaxComps || ++ nBits > 16 || ++ width >= INT_MAX / nComps || // check for overflow in nVals ++ nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes + return; + } + predLine = (Guchar *)gmalloc(rowBytes);
pgpxn8p61MRMI.pgp
Description: PGP signature