Bug#1011333: /usr/bin/pdftosrc: CVE-2021-27548 - null-pointer deference in XFAScanner::scanNode used by pdftosrc
Hi Hilmar, On Fri, May 20, 2022 at 03:57:46PM +0200, Hilmar Preuße wrote: > Am 20.05.2022 um 11:16 teilte Neil Williams mit: > > Hello Neil, > > > texlive-binaries in unstable, experimental and bookworm embeds > > xpdfreader 4.03 and the code is exposed via the pdftosrc binary. > > > > The PoC file from the CVE triggers a segmentation fault in pdftosrc. > > pdftosrc from bullseye (correctly) reports a broken PDF without > > crashing as texlive-binaries in bullseye embeds xpdfreader 4.02. > > > I could simply copy the appropriate commit from upstream [1] and put it into > our package. The package still builds and it seems to solve the issue (see > below). I'd do another upload to experimental and upload TL 2022 (containing > the fix) to unstable in about 2 weeks. > > Would the time frame be OK for you? FWIW, this sound reasonable and just defer the fix to be fixed with the new upstream version when landing in unstable. Regards, Salvatore
Bug#1011333: /usr/bin/pdftosrc: CVE-2021-27548 - null-pointer deference in XFAScanner::scanNode used by pdftosrc
Am 20.05.2022 um 11:16 teilte Neil Williams mit: Hello Neil, texlive-binaries in unstable, experimental and bookworm embeds xpdfreader 4.03 and the code is exposed via the pdftosrc binary. The PoC file from the CVE triggers a segmentation fault in pdftosrc. pdftosrc from bullseye (correctly) reports a broken PDF without crashing as texlive-binaries in bullseye embeds xpdfreader 4.02. I could simply copy the appropriate commit from upstream [1] and put it into our package. The package still builds and it seems to solve the issue (see below). I'd do another upload to experimental and upload TL 2022 (containing the fix) to unstable in about 2 weeks. Would the time frame be OK for you? Hilmar hille@sid-amd64:~/devel/TeXLive$ ./pdftosrc file.pdf pdftosrc version 4.04 libxpdf: Syntax Error (92917): Command token too long libxpdf: Syntax Error (93045): Command token too long libxpdf: Syntax Error (93173): Command token too long libxpdf: Syntax Error: Couldn't read xref table libxpdf: Syntax Warning: PDF file is damaged - attempting to reconstruct xref table... No SourceObject found [1] https://github.com/TeX-Live/texlive-source/commit/b20034c3cf23f813a70cb60de8e1761a443f5fbf.patch -- sigfault OpenPGP_signature Description: OpenPGP digital signature
Bug#1011333: /usr/bin/pdftosrc: CVE-2021-27548 - null-pointer deference in XFAScanner::scanNode used by pdftosrc
Package: texlive-binaries Version: 2022.20220321.62855-1 Severity: important File: /usr/bin/pdftosrc Tags: security X-Debbugs-Cc: codeh...@debian.org, Debian Security Team texlive-binaries in unstable, experimental and bookworm embeds xpdfreader 4.03 and the code is exposed via the pdftosrc binary. The PoC file from the CVE triggers a segmentation fault in pdftosrc. pdftosrc from bullseye (correctly) reports a broken PDF without crashing as texlive-binaries in bullseye embeds xpdfreader 4.02. https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/ChangeLog/ https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/xpdf-src/xpdf/XFAScanner.cc/?hl=243#L243 The following vulnerability was published for texlive-binaries. CVE-2021-27548[0]: | There is a Null Pointer Dereference vulnerability in the | XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27548 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27548 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-2-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages texlive-binaries depends on: ii libc6 2.34-0experimental2 ii libcairo2 1.16.0-5 ii libfontconfig1 2.13.1-4.4 ii libfreetype62.12.1+dfsg-1 ii libgcc-s1 12.1.0-2 ii libgraphite2-3 1.3.14-1 ii libharfbuzz0b 2.7.4-1+b1 ii libicu7171.1-3 ii libkpathsea62022.20220321.62855-1 ii libmpfr64.1.0-3 ii libpaper1 1.1.28+b1 ii libpixman-1-0 0.40.0-1 ii libpng16-16 1.6.37-5 ii libptexenc1 2022.20220321.62855-1 ii libstdc++6 12.1.0-2 ii libsynctex2 2022.20220321.62855-1 ii libteckit0 2.5.11+ds1-1 ii libtexlua53 2022.20220321.62855-1 ii libtexluajit2 2022.20220321.62855-1 ii libx11-62:1.7.5-1 ii libxaw7 2:1.0.14-1 ii libxi6 2:1.8-1 ii libxmu6 2:1.1.3-3 ii libxpm4 1:3.5.12-1 ii libxt6 1:1.2.1-1 ii libzzip-0-130.13.72+dfsg.1-1.1 ii perl5.34.0-4 ii t1utils 1.41-4 ii tex-common 6.17 ii zlib1g 1:1.2.11.dfsg-4 Versions of packages texlive-binaries recommends: ii dvisvgm 2.13.4-1 ii texlive-base 2021.20220204-1 texlive-binaries suggests no packages. -- no debconf information