diff -Nru xpdf-3.02/debian/changelog xpdf-3.02/debian/changelog --- xpdf-3.02/debian/changelog 2009-12-07 19:35:22.000000000 -0500 +++ xpdf-3.02/debian/changelog 2010-02-06 19:49:28.000000000 -0500 @@ -1,3 +1,50 @@ +xpdf (3.02-2+nmu1) unstable; urgency=high + + * Non-maintainer upload by the security team. + * Fixes multiple security issues (closes: #551287). + - CVE-2009-1188: + Integer overflow in the JBIG2 decoding feature in the + SplashBitmap::SplashBitmap function in SplashBitmap.cc in Xpdf 3.x + before 3.02pl4 and Poppler before 0.10.6, as used in GPdf and + kdegraphics KPDF, allows remote attackers to execute arbitrary code or + cause a denial of service (application crash) via a crafted PDF + document. + - CVE-2009-3603: + Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf + 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote + attackers to execute arbitrary code via a crafted PDF document that + triggers a heap-based buffer overflow. NOTE: some of these details are + obtained from third party information. NOTE: this issue reportedly + exists because of an incomplete fix for CVE-2009-1188. + - CVE-2009-3604: + The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before + 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does + not properly allocate memory, which allows remote attackers to cause a + denial of service (application crash) or possibly execute arbitrary + code via a crafted PDF document that triggers a NULL pointer + dereference or a heap-based buffer overflow. + - CVE-2009-3606: + Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf + before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might + allow remote attackers to execute arbitrary code via a crafted PDF + document that triggers a heap-based buffer overflow. + - CVE-2009-3608: + Integer overflow in the ObjectStream::ObjectStream function in XRef.cc + in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, + kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote + attackers to execute arbitrary code via a crafted PDF document that + triggers a heap-based buffer overflow. + - CVE-2009-3609: + Integer overflow in the ImageStream::ImageStream function in Stream.cc + in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, + kdegraphics KPDF, and CUPS pdftops, allows remote attackers to cause a + denial of service (application crash) via a crafted PDF document that + triggers a NULL pointer dereference or buffer over-read. + * Make use of ${misc:Depends}. + * Bump standards to version 3.8.4 (no changes required). + + -- Michael Gilbert Sat, 06 Feb 2010 19:26:01 -0500 + xpdf (3.02-2) unstable; urgency=low * debian/copyright: diff -Nru xpdf-3.02/debian/control xpdf-3.02/debian/control --- xpdf-3.02/debian/control 2009-12-07 19:39:33.000000000 -0500 +++ xpdf-3.02/debian/control 2010-02-06 19:47:33.000000000 -0500 @@ -2,7 +2,7 @@ Section: text Priority: optional Maintainer: Hamish Moffatt -Standards-Version: 3.8.3 +Standards-Version: 3.8.4 Build-Depends: autoconf, automake, debhelper (>= 5), lesstif2-dev (>= 1:0.95.0) | libmotif-dev, libfreetype6-dev (>= 2.1.2), libpaper-dev | libpaperg-dev, libt1-dev (>= 5.0.2), libx11-dev, @@ -13,7 +13,7 @@ Package: xpdf Architecture: all -Depends: xpdf-reader, xpdf-utils, xpdf-common +Depends: xpdf-reader, xpdf-utils, xpdf-common, ${misc:Depends} Conflicts: xpdf-i (<= 0.90-8) Replaces: xpdf-i (<= 0.90-8) Description: Portable Document Format (PDF) suite @@ -29,6 +29,7 @@ Package: xpdf-common Architecture: all +Depends: ${misc:Depends} Conflicts: xpdf (<= 0.93-6), xpdf-cyrillic, xpdf-greek, xpdf-hebrew, xpdf-latin2, xpdf-thai, xpdf-turkish Replaces: xpdf-cyrillic, xpdf-greek, xpdf-hebrew, xpdf-latin2, @@ -43,7 +44,7 @@ Package: xpdf-reader Architecture: any -Depends: ${shlibs:Depends}, gsfonts (>= 6.0-1), +Depends: ${shlibs:Depends}, ${misc:Depends}, gsfonts (>= 6.0-1), xpdf-common (>= ${source:Version}), xpdf-common (<< ${source:Version}.1~), xpdf-utils | poppler-utils Provides: pdf-viewer, postscript-preview @@ -65,7 +66,7 @@ Package: xpdf-utils Architecture: any -Depends: ${shlibs:Depends}, gsfonts (>= 6.0-1), +Depends: ${shlibs:Depends}, ${misc:Depends}, gsfonts (>= 6.0-1), xpdf-common (>= ${source:Version}), xpdf-common (<< ${source:Version}.1~) Provides: pdf-viewer, postscript-preview, poppler-utils Conflicts: xpdf-i (<= 0.90-8), xpdf (<= 0.93-6), poppler-utils diff -Nru xpdf-3.02/debian/patches/series xpdf-3.02/debian/patches/series --- xpdf-3.02/debian/patches/series 2009-12-07 19:41:37.000000000 -0500 +++ xpdf-3.02/debian/patches/series 2010-02-06 19:45:59.000000000 -0500 @@ -46,3 +46,5 @@ bug_408502_message_5.mbox xpdf-zoom-height.patch #slideshow.patch.2 + +xpdf-3.02pl4.patch diff -Nru xpdf-3.02/debian/patches/xpdf-3.02pl4.patch xpdf-3.02/debian/patches/xpdf-3.02pl4.patch --- xpdf-3.02/debian/patches/xpdf-3.02pl4.patch 1969-12-31 19:00:00.000000000 -0500 +++ xpdf-3.02/debian/patches/xpdf-3.02pl4.patch 2010-02-06 20:07:29.000000000 -0500 @@ -0,0 +1,208 @@ +diff -urN xpdf-3.02-orig/splash/SplashBitmap.cc xpdf-3.02/splash/SplashBitmap.cc +--- xpdf-3.02-orig/splash/SplashBitmap.cc 2010-02-06 19:41:22.000000000 -0500 ++++ xpdf-3.02/splash/SplashBitmap.cc 2010-02-06 19:43:19.000000000 -0500 +@@ -11,6 +11,7 @@ + #endif + + #include ++#include + #include "gmem.h" + #include "SplashErrorCodes.h" + #include "SplashBitmap.h" +@@ -27,30 +28,48 @@ + mode = modeA; + switch (mode) { + case splashModeMono1: +- rowSize = (width + 7) >> 3; ++ if (width > 0) { ++ rowSize = (width + 7) >> 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeMono8: +- rowSize = width; ++ if (width > 0) { ++ rowSize = width; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeRGB8: + case splashModeBGR8: +- rowSize = width * 3; ++ if (width > 0 && width <= INT_MAX / 3) { ++ rowSize = width * 3; ++ } else { ++ rowSize = -1; ++ } + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- rowSize = width * 4; ++ if (width > 0 && width <= INT_MAX / 4) { ++ rowSize = width * 4; ++ } else { ++ rowSize = -1; ++ } + break; + #endif + } +- rowSize += rowPad - 1; +- rowSize -= rowSize % rowPad; +- data = (SplashColorPtr)gmalloc(rowSize * height); ++ if (rowSize > 0) { ++ rowSize += rowPad - 1; ++ rowSize -= rowSize % rowPad; ++ } ++ data = (SplashColorPtr)gmallocn(height, rowSize); + if (!topDown) { + data += (height - 1) * rowSize; + rowSize = -rowSize; + } + if (alphaA) { +- alpha = (Guchar *)gmalloc(width * height); ++ alpha = (Guchar *)gmallocn(width, height); + } else { + alpha = NULL; + } +diff -urN xpdf-3.02-orig/splash/Splash.cc xpdf-3.02/splash/Splash.cc +--- xpdf-3.02-orig/splash/Splash.cc 2010-02-06 19:41:22.000000000 -0500 ++++ xpdf-3.02/splash/Splash.cc 2010-02-06 19:43:19.000000000 -0500 +@@ -12,6 +12,7 @@ + + #include + #include ++#include + #include "gmem.h" + #include "SplashErrorCodes.h" + #include "SplashMath.h" +@@ -1912,7 +1913,10 @@ + xq = w % scaledWidth; + + // allocate pixel buffer +- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w); ++ if (yp < 0 || yp > INT_MAX - 1) { ++ return splashErrBadArg; ++ } ++ pixBuf = (SplashColorPtr)gmallocn(yp + 1, w); + + // initialize the pixel pipe + pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha, +@@ -2208,9 +2212,12 @@ + xq = w % scaledWidth; + + // allocate pixel buffers +- colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps); ++ if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) { ++ return splashErrBadArg; ++ } ++ colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps); + if (srcAlpha) { +- alphaBuf = (Guchar *)gmalloc((yp + 1) * w); ++ alphaBuf = (Guchar *)gmallocn(yp + 1, w); + } else { + alphaBuf = NULL; + } +diff -urN xpdf-3.02-orig/splash/SplashErrorCodes.h xpdf-3.02/splash/SplashErrorCodes.h +--- xpdf-3.02-orig/splash/SplashErrorCodes.h 2010-02-06 19:41:22.000000000 -0500 ++++ xpdf-3.02/splash/SplashErrorCodes.h 2010-02-06 19:43:19.000000000 -0500 +@@ -29,4 +29,6 @@ + + #define splashErrSingularMatrix 8 // matrix is singular + ++#define splashErrBadArg 9 // bad argument ++ + #endif +diff -urN xpdf-3.02-orig/xpdf/PSOutputDev.cc xpdf-3.02/xpdf/PSOutputDev.cc +--- xpdf-3.02-orig/xpdf/PSOutputDev.cc 2010-02-06 19:41:22.000000000 -0500 ++++ xpdf-3.02/xpdf/PSOutputDev.cc 2010-02-06 19:42:38.000000000 -0500 +@@ -4301,7 +4301,7 @@ + width, -height, height); + + // allocate a line buffer +- lineBuf = (Guchar *)gmalloc(4 * width); ++ lineBuf = (Guchar *)gmallocn(width, 4); + + // set up to process the data stream + imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(), +diff -urN xpdf-3.02-orig/xpdf/Stream.cc xpdf-3.02/xpdf/Stream.cc +--- xpdf-3.02-orig/xpdf/Stream.cc 2010-02-06 19:41:22.000000000 -0500 ++++ xpdf-3.02/xpdf/Stream.cc 2010-02-06 19:42:38.000000000 -0500 +@@ -323,6 +323,10 @@ + } else { + imgLineSize = nVals; + } ++ if (width > INT_MAX / nComps) { ++ // force a call to gmallocn(-1,...), which will throw an exception ++ imgLineSize = -1; ++ } + imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); + imgIdx = nVals; + } +diff -urN xpdf-3.02-orig/xpdf/XRef.cc xpdf-3.02/xpdf/XRef.cc +--- xpdf-3.02-orig/xpdf/XRef.cc 2010-02-06 19:41:22.000000000 -0500 ++++ xpdf-3.02/xpdf/XRef.cc 2010-02-06 19:42:38.000000000 -0500 +@@ -52,6 +52,8 @@ + // generation 0. + ObjectStream(XRef *xref, int objStrNumA); + ++ GBool isOk() { return ok; } ++ + ~ObjectStream(); + + // Return the object number of this object stream. +@@ -67,6 +69,7 @@ + int nObjects; // number of objects in the stream + Object *objs; // the objects (length = nObjects) + int *objNums; // the object numbers (length = nObjects) ++ GBool ok; + }; + + ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { +@@ -80,6 +83,7 @@ + nObjects = 0; + objs = NULL; + objNums = NULL; ++ ok = gFalse; + + if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) { + goto err1; +@@ -105,6 +109,13 @@ + goto err1; + } + ++ // this is an arbitrary limit to avoid integer overflow problems ++ // in the 'new Object[nObjects]' call (Acrobat apparently limits ++ // object streams to 100-200 objects) ++ if (nObjects > 1000000) { ++ error(-1, "Too many objects in an object stream"); ++ goto err1; ++ } + objs = new Object[nObjects]; + objNums = (int *)gmallocn(nObjects, sizeof(int)); + offsets = (int *)gmallocn(nObjects, sizeof(int)); +@@ -161,10 +172,10 @@ + } + + gfree(offsets); ++ ok = gTrue; + + err1: + objStr.free(); +- return; + } + + ObjectStream::~ObjectStream() { +@@ -837,6 +848,11 @@ + delete objStr; + } + objStr = new ObjectStream(this, e->offset); ++ if (!objStr->isOk()) { ++ delete objStr; ++ objStr = NULL; ++ goto err; ++ } + } + objStr->getObject(e->gen, num, obj); + break;