GLSA-202405-18 : Xpdf: Multiple Vulnerabilities

high Nessus Plugin ID 195087

Description

The remote host is affected by the vulnerability described in GLSA-202405-18 (Xpdf: Multiple Vulnerabilities)

- In Xpdf 4.02, SplashOutputDev::endType3Char(GfxState *state) SplashOutputDev.cc:3079 is trying to use the freed `t3GlyphStack->cache`, which causes an `heap-use-after-free` problem. The codes of a previous fix for nested Type 3 characters wasn't correctly handling the case where a Type 3 char referred to another char in the same Type 3 font. (CVE-2020-25725)

- Xpdf 4.02 allows stack consumption because of an incorrect subroutine reference in a Type 1C font charstring, related to the FoFiType1C::getOp() function. (CVE-2020-35376)

- There is a Null Pointer Dereference vulnerability in the XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03. (CVE-2021-27548)

- In Xpdf prior to 4.04, the DCT (JPEG) decoder was incorrectly allowing the 'interleaved' flag to be changed after the first scan of the image, leading to an unknown integer-related vulnerability in Stream.cc. (CVE-2022-24106)

- Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc. (CVE-2022-24107)

- xpdf 4.03 has heap buffer overflow in the function readXRefTable located in XRef.cc. An attacker can exploit this bug to cause a Denial of Service (Segmentation fault) or other unspecified effects by sending a crafted PDF file to the pdftoppm binary. (CVE-2022-27135)

- Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics). (CVE-2022-38171)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

All Xpdf users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=app-text/xpdf-4.04

See Also

https://security.gentoo.org/glsa/202405-18

https://bugs.gentoo.org/show_bug.cgi?id=755938

https://bugs.gentoo.org/show_bug.cgi?id=840873

Plugin Details

Severity: High

ID: 195087

File Name: gentoo_GLSA-202405-18.nasl

Version: 1.0

Type: local

Published: 5/7/2024

Updated: 5/7/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2020-35376

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-38171

Vulnerability Information

CPE: cpe:/o:gentoo:linux, p-cpe:/a:gentoo:linux:xpdf

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/7/2024

Vulnerability Publication Date: 11/21/2020

Reference Information

CVE: CVE-2020-25725, CVE-2020-35376, CVE-2021-27548, CVE-2022-24106, CVE-2022-24107, CVE-2022-27135, CVE-2022-38171