GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Feb 12, 2006 7:26 pm Post subject: [ GLSA 200602-04 ] Xpdf, Poppler: Heap overflow |
 |
|
Gentoo Linux Security Advisory
Title: Xpdf, Poppler: Heap overflow (GLSA 200602-04)
Severity: normal
Exploitable: remote
Date: February 12, 2006
Bug(s): #120985
ID: 200602-04
Synopsis
Xpdf and Poppler are vulnerable to a heap overflow that may be exploited to execute arbitrary code.
Background
Xpdf is a PDF file viewer that runs under the X Window System. Poppler is a PDF rendering library based on the Xpdf 3.0 code base.
Affected Packages
Package: app-text/xpdf
Vulnerable: < 3.01-r7
Unaffected: >= 3.01-r7
Architectures: All supported architectures
Package: app-text/poppler
Vulnerable: < 0.5.0-r4
Unaffected: >= 0.5.0-r4
Architectures: All supported architectures
Description
Dirk Mueller has reported a vulnerability in Xpdf. It is caused by a missing boundary check in the splash rasterizer engine when handling PDF splash images with overly large dimensions.
Impact
By sending a specially crafted PDF file to a victim, an attacker could cause an overflow, potentially resulting in the execution of arbitrary code with the privileges of the user running the application.
Workaround
There is no known workaround at this time.
Resolution
All Xpdf users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/xpdf-3.01-r7" |
All Poppler users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/poppler-0.5.0-r4" |
References
CVE-2006-0301
Last edited by GLSA on Sun May 07, 2006 5:00 pm; edited 1 time in total |
|
News & Announcements
