[Secure-testing-team] Bug#527449: swftools: multiple vulnerabilities in embedded copy of xpdf
Raphael Geissert
atomo64 at gmail.com
Thu May 7 15:37:46 UTC 2009
Package: swftools
Version: 0.8.1-1
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for swftools.
CVE-2007-3387[0]:
| Integer overflow in the StreamPredictor::StreamPredictor function in
| xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before
| 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other
| products, might allow remote attackers to execute arbitrary code via a
| crafted PDF file that triggers a stack-based buffer overflow in the
| StreamPredictor::getNextLine function.
CVE-2007-4352[1]:
| Array index error in the DCTStream::readProgressiveDataUnit method in
| xpdf/Stream.cc in Xpdf 3.02pl1, as used in poppler, teTeX, KDE,
| KOffice, CUPS, and other products, allows remote attackers to trigger
| memory corruption and execute arbitrary code via a crafted PDF file.
CVE-2007-5392[2]:
| Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in
| Xpdf 3.02p11 allows remote attackers to execute arbitrary code via a
| crafted PDF file, resulting in a heap-based buffer overflow.
CVE-2007-5393[3]:
| Heap-based buffer overflow in the CCITTFaxStream::lookChar method in
| xpdf/Stream.cc in Xpdf 3.02p11 allows remote attackers to execute
| arbitrary code via a PDF file that contains a crafted CCITTFaxDecode
| filter.
CVE-2009-0146[4]:
| Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and
| earlier, CUPS 1.3.9 and earlier, and other products allow remote
| attackers to cause a denial of service (crash) via a crafted PDF file,
| related to (1) JBIG2SymbolDict::setBitmap and (2)
| JBIG2Stream::readSymbolDictSeg.
CVE-2009-0147[5]:
| Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and
| earlier, CUPS 1.3.9 and earlier, and other products allow remote
| attackers to cause a denial of service (crash) via a crafted PDF file,
| related to (1) JBIG2Stream::readSymbolDictSeg, (2)
| JBIG2Stream::readSymbolDictSeg, and (3)
| JBIG2Stream::readGenericBitmap.
CVE-2009-0166[6]:
| The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
| and other products allows remote attackers to cause a denial of
| service (crash) via a crafted PDF file that triggers a free of
| uninitialized memory.
CVE-2009-0799[7]:
| The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
| Poppler before 0.10.6, and other products allows remote attackers to
| cause a denial of service (crash) via a crafted PDF file that triggers
| an out-of-bounds read.
CVE-2009-0800[8]:
| Multiple "input validation flaws" in the JBIG2 decoder in Xpdf 3.02pl2
| and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other
| products allow remote attackers to execute arbitrary code via a
| crafted PDF file.
CVE-2009-1179[9]:
| Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier,
| CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products
| allows remote attackers to execute arbitrary code via a crafted PDF
| file.
CVE-2009-1180[10]:
| The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
| Poppler before 0.10.6, and other products allows remote attackers to
| execute arbitrary code via a crafted PDF file that triggers a free of
| invalid data.
CVE-2009-1181[11]:
| The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier,
| Poppler before 0.10.6, and other products allows remote attackers to
| cause a denial of service (crash) via a crafted PDF file that triggers
| a NULL pointer dereference.
CVE-2009-1182[12]:
| Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and
| earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other
| products allow remote attackers to execute arbitrary code via a
| crafted PDF file.
CVE-2009-1183[13]:
| The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and
| earlier, Poppler before 0.10.6, and other products allows remote
| attackers to cause a denial of service (infinite loop and hang) via a
| crafted PDF file.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
The patches for those vulnerabilities can be found in the following reports:
http://bugs.debian.org/524809
http://bugs.debian.org/450629
http://bugs.debian.org/435462
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387
http://security-tracker.debian.net/tracker/CVE-2007-3387
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4352
http://security-tracker.debian.net/tracker/CVE-2007-4352
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5392
http://security-tracker.debian.net/tracker/CVE-2007-5392
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5393
http://security-tracker.debian.net/tracker/CVE-2007-5393
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0146
http://security-tracker.debian.net/tracker/CVE-2009-0146
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0147
http://security-tracker.debian.net/tracker/CVE-2009-0147
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0166
http://security-tracker.debian.net/tracker/CVE-2009-0166
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0799
http://security-tracker.debian.net/tracker/CVE-2009-0799
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0800
http://security-tracker.debian.net/tracker/CVE-2009-0800
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1179
http://security-tracker.debian.net/tracker/CVE-2009-1179
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1180
http://security-tracker.debian.net/tracker/CVE-2009-1180
[11] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1181
http://security-tracker.debian.net/tracker/CVE-2009-1181
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1182
http://security-tracker.debian.net/tracker/CVE-2009-1182
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1183
http://security-tracker.debian.net/tracker/CVE-2009-1183
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090507/46aae52b/attachment.pgp>
More information about the Secure-testing-team
mailing list