Xpdf Bugs in streams and t1lib Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1018905 |
|
SecurityTracker URL: http://securitytracker.com/id/1018905
|
|
CVE Reference:
CVE-2007-4033, CVE-2007-4352, CVE-2007-5392, CVE-2007-5393
(Links to External Site)
|
Date: Nov 7 2007
|
Impact:
Execution of arbitrary code via network, User access via network
|
Vendor Confirmed: Yes
|
Version(s): 3.02
|
Description:
Several vulnerabilities were reported in Xpdf. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted PDF file that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.
A specially crafted Type 1 font filename can trigger a flaw in the t1lib library and cause code execution [CVE-2007-4033]
Specially crafted data can trigger a memory corruption error in the DCTStream::readProgressiveDataUnit() function in 'xpdf/Stream.cc' [CVE-2007-4352].
Specially crafted data can trigger an integer overflow in the DCTStream::reset() function in 'xpdf/Stream.cc' [CVE-2007-5392].
A specially crafted CCITTFaxDecode filter can trigger a heap overflow in the CCITTFaxStream::lookChar() function in 'xpdf/Stream.cc' [CVE-2007-5393].
The vendor was notified on October 17, 2007.
Alin Rad Pop of Secunia Research reported three of these vulnerabilities. r0ut3r discovered one of these vulnerabilities.
|
Impact:
A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.foolabs.com/xpdf/ (Links to External Site)
|
Cause:
Access control error, Boundary error
|
Underlying OS:
Linux (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 07 Nov 2007 16:42:22 +0100
Subject: Secunia Research: Xpdf "Stream.cc" Multiple Vulnerabilities
|
======================================================================
Secunia Research 07/11/2007
- Xpdf "Stream.cc" Multiple Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Xpdf 3.02 with xpdf-3.02pl1.patch.
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: Remote
======================================================================
3) Vendor's Description of Software
"Xpdf is an open source viewer for Portable Document Format (PDF)
files. (These are also sometimes also called 'Acrobat' files, from the
name of Adobe's PDF software.) The Xpdf project also includes a PDF
text extractor, PDF-to-PostScript converter, and various other
utilities.".
Product Link:
http://www.foolabs.com/xpdf/
======================================================================
4) Description of Vulnerabilities
Secunia Research has discovered some vulnerabilities in Xpdf, which can
be exploited by malicious people to compromise a user's system.
1) An array indexing error within the
"DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc can be
exploited to corrupt memory via a specially crafted PDF file.
2) An integer overflow error within the "DCTStream::reset()" method in
xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow
via a specially crafted PDF file.
3) A boundary error within the "CCITTFaxStream::lookChar()" method in
xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow
by tricking a user into opening a PDF file containing a specially
crafted "CCITTFaxDecode" filter.
Successful exploitation may allow execution of arbitrary code.
======================================================================
5) Solution
Do not open untrusted PDF files.
The vendor is reportedly working on a patch.
======================================================================
6) Time Table
17/10/2007 - Vendor notified.
22/10/2007 - vendor-sec notified.
19/10/2007 - Vendor response.
07/11/2007 - Public disclosure.
======================================================================
7) Credits
Discovered by Alin Rad Pop, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following CVE identifiers:
* CVE-2007-4352 ("DCTStream::readProgressiveDataUnit()")
* CVE-2007-5392 ("DCTStream::reset()")
* CVE-2007-5393 ("CCITTFaxStream::lookChar()")
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://corporate.secunia.com/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://corporate.secunia.com/secunia_research/33/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/secunia_vacancies/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-88/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
|
|
