[SECURITY] [DSA 1347-1] New xpdf packages fix arbitrary code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [SECURITY] [DSA 1347-1] New xpdf packages fix arbitrary code execution
From: Moritz Muehlenhoff <jmm@xxxxxxxxxx>
Date: Sat, 4 Aug 2007 14:55:49 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Old-return-path: <jmm@xxxxxxxxxx>
Priority: urgent
Reply-to: listadmin@xxxxxxxxxxxxxxxxx
Resent-cc: recipient list not shown: ;
Resent-date: Sat, 4 Aug 2007 12:59:23 +0000 (UTC)
Resent-from: list@xxxxxxxxxxxxxxxxx (Mailing List Manager)
Resent-message-id: <6fNgfD.A.k2.rgHtGB@murphy>
User-agent: Mutt/1.5.16 (2007-06-11)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1347-1                    security@xxxxxxxxxx
http://www.debian.org/security/                         Moritz Muehlenhoff
August 4th, 2007                        http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : xpdf
Vulnerability  : integer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2007-3387

It was discovered that an integer overflow in the xpdf PDF viewer may lead
to the execution of arbitrary code if a malformed PDF file is opened.

For the oldstable distribution (sarge) this problem has been fixed in
version 3.00-13.7.

For the stable distribution (etch) this problem has been fixed in
version 3.01-9etch1.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your xpdf packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00-13.7.dsc
      Size/MD5 checksum:      781 0e263d3ecbd956af7d756e6b10b450b9
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00-13.7.diff.gz
      Size/MD5 checksum:    51994 73102654c2dc695ba52153332cf6355e
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00.orig.tar.gz
      Size/MD5 checksum:   534697 95294cef3031dd68e65f331e8750b2c2

  Architecture independent components:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.00-13.7_all.deb
      Size/MD5 checksum:    56612 3844dc954e1b076cedb1df334f1d9fee
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.00-13.7_all.deb
      Size/MD5 checksum:     1276 894fe92a845e0e211e0217c590bd59b8

  Alpha architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_alpha.deb
      Size/MD5 checksum:   803682 da21c5c482000a03a782310682a17c61
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_alpha.deb
      Size/MD5 checksum:  1528526 634bc43be530058b8df65cb8477add20

  AMD64 architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_amd64.deb
      Size/MD5 checksum:   668656 7c5d4d69e1415bedc58ee5fea3c0ba4e
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_amd64.deb
      Size/MD5 checksum:  1275056 5b449abdea091655726bf3263d06c24b

  ARM architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_arm.deb
      Size/MD5 checksum:   675168 4c806b183382516f9b228fcb534a5fc2
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_arm.deb
      Size/MD5 checksum:  1280198 eccbbcb5fb6688685e6274d393d06c58

  HP Precision architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.6_hppa.deb
      Size/MD5 checksum:   833234 53a85c49c0d0ed760da1ac5bd256cc1c
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.6_hppa.deb
      Size/MD5 checksum:  1581132 b830198ef741369f777e4a231c2b2352

  Intel IA-32 architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_i386.deb
      Size/MD5 checksum:   657156 69e930d035bf8e338da085162061f8f2
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_i386.deb
      Size/MD5 checksum:  1242988 208188fd587d1bf6d76ce0b83b2d14d1

  Intel IA-64 architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_ia64.deb
      Size/MD5 checksum:   951362 8a68c556f5cb892f22305d8be9906d63
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_ia64.deb
      Size/MD5 checksum:  1803002 4f339242fb23f7d564f6909db48d3b6e

  Motorola 680x0 architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_m68k.deb
      Size/MD5 checksum:   586488 de9ba73580d4c5ae1d9587dee185c5f2
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_m68k.deb
      Size/MD5 checksum:  1117854 4c573f4e9433eeb2b07659c78dd34e8e

  Big endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_mips.deb
      Size/MD5 checksum:   808354 53efd66f685a4dbfc81548373c4c7b14
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_mips.deb
      Size/MD5 checksum:  1525936 f102ccb14e87431e7920f0856b46f896

  Little endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_mipsel.deb
      Size/MD5 checksum:   798650 d5f16d74b898d95480b3a7411328340f
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_mipsel.deb
      Size/MD5 checksum:  1504484 63e65bbdd21f3290f5ff7fe8f2605489

  PowerPC architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_powerpc.deb
      Size/MD5 checksum:   694722 08e6ef661dd969b992ed8e524860c6d0
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_powerpc.deb
      Size/MD5 checksum:  1313852 cc4faa2d9a6f34e0f2617150d0ed4983

  IBM S/390 architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_s390.deb
      Size/MD5 checksum:   631070 af2bcecc6f6020ba4716446dc72b627b
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_s390.deb
      Size/MD5 checksum:  1199558 ce19e172165131f98d8b436849ba1c08

  Sun Sparc architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.00-13.7_sparc.deb
      Size/MD5 checksum:   626964 eda25a6a10d0e69f51d686ea23a99480
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.00-13.7_sparc.deb
      Size/MD5 checksum:  1182548 6560c5dd893ce3fca7f0c86b022a818e


Debian GNU/Linux 4.0 alias etch
- -------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9etch1.dsc
      Size/MD5 checksum:      968 d8dc0eef65699dd4ba038a096d2a81e4
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9etch1.diff.gz
      Size/MD5 checksum:    34901 b432feb9ba16a593df406baba307df1b
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01.orig.tar.gz
      Size/MD5 checksum:   599778 e004c69c7dddef165d768b1362b44268

  Architecture independent components:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-common_3.01-9etch1_all.deb
      Size/MD5 checksum:    61024 7c0fd8bfc7fc90bc5c17464700edb42f
    http://security.debian.org/pool/updates/main/x/xpdf/xpdf_3.01-9etch1_all.deb
      Size/MD5 checksum:     1278 7e5c71c975f30e46a6cb50d3bbff5adc

  Alpha architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_alpha.deb
      Size/MD5 checksum:   905816 03bf81436242b6a3b9aaf3f0b2bb3164
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_alpha.deb
      Size/MD5 checksum:  1651508 3432db911ace408ae0f7dad55eac0f2b

  AMD64 architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_amd64.deb
      Size/MD5 checksum:   794428 e24ed84c50324d45177ae0235db5a313
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_amd64.deb
      Size/MD5 checksum:  1455166 590fc7c28c6c70cacc043fd64473c4ef

  ARM architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_arm.deb
      Size/MD5 checksum:   787430 7eb238efc796199d130b295c62092cd0
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_arm.deb
      Size/MD5 checksum:  1429968 e238b03168bfede6bf830a304ff50620

  Intel IA-32 architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_i386.deb
      Size/MD5 checksum:   781640 c9d20758cf278db78638def045a863c5
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_i386.deb
      Size/MD5 checksum:  1423878 68bd5716e0f169d5086b2fd00e7d8f4a

  Intel IA-64 architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_ia64.deb
      Size/MD5 checksum:  1195858 cbbdd5d6d0414169145dbdf3fea12707
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_ia64.deb
      Size/MD5 checksum:  2165458 21e2ed7de71da57d66751757ef53342d

  Big endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_mips.deb
      Size/MD5 checksum:   944050 8c6990ce24678d320e2e867f4878a730
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_mips.deb
      Size/MD5 checksum:  1707498 be641af6c68aa385ac279915239749fc

  Little endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_mipsel.deb
      Size/MD5 checksum:   931700 41a0d5de1726aab65964ed65de106fa8
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_mipsel.deb
      Size/MD5 checksum:  1686070 9ed4f7c4d3f0a1a0a2606a76022c9bea

  PowerPC architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_powerpc.deb
      Size/MD5 checksum:   833600 8f1e3926bb539d37386a9e614c5a8dda
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_powerpc.deb
      Size/MD5 checksum:  1520882 6000cb9a1adadcd8b150bb642fe1040f

  IBM S/390 architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_s390.deb
      Size/MD5 checksum:   752384 9e58b3a148b490a0869a1b2ea6450157
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_s390.deb
      Size/MD5 checksum:  1363574 315e1ce79f6f2b8a7765cc453925bfc0

  Sun Sparc architecture:

    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-reader_3.01-9etch1_sparc.deb
      Size/MD5 checksum:   750250 e6d86666b4b9b2050ed1a144411f613f
    
http://security.debian.org/pool/updates/main/x/xpdf/xpdf-utils_3.01-9etch1_sparc.deb
      Size/MD5 checksum:  1363236 a7ccb1bdcb2880c6e72387250e0f4c59


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGtHcIXm3vHE4uyloRAv3iAKCkzmPesmHDYuafUZUYbC3LbImLrQCeP9z5
NV/iPAHAmQE7vlyD6mvn/Qg=
=QwZF
-----END PGP SIGNATURE-----
Prev by Date: Re: [ELEYTT] 3SIERPIEN2007
Next by Date: Immunity Debugger is now released
Previous by thread: Re: [ELEYTT] 4SIERPIEN2007
Next by thread: Immunity Debugger is now released
Index(es):
- Date
- Thread