Secunia Research: Xpdf "Stream.cc" Multiple Vulnerabilities
======================================================================
Secunia Research 07/11/2007
- Xpdf "Stream.cc" Multiple Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Xpdf 3.02 with xpdf-3.02pl1.patch.
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Highly critical
Impact: System access
Where: Remote
======================================================================
3) Vendor's Description of Software
"Xpdf is an open source viewer for Portable Document Format (PDF)
files. (These are also sometimes also called 'Acrobat' files, from the
name of Adobe's PDF software.) The Xpdf project also includes a PDF
text extractor, PDF-to-PostScript converter, and various other
utilities.".
Product Link:
http://www.foolabs.com/xpdf/
======================================================================
4) Description of Vulnerabilities
Secunia Research has discovered some vulnerabilities in Xpdf, which can
be exploited by malicious people to compromise a user's system.
1) An array indexing error within the
"DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc can be
exploited to corrupt memory via a specially crafted PDF file.
2) An integer overflow error within the "DCTStream::reset()" method in
xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow
via a specially crafted PDF file.
3) A boundary error within the "CCITTFaxStream::lookChar()" method in
xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow
by tricking a user into opening a PDF file containing a specially
crafted "CCITTFaxDecode" filter.
Successful exploitation may allow execution of arbitrary code.
======================================================================
5) Solution
Do not open untrusted PDF files.
The vendor is reportedly working on a patch.
======================================================================
6) Time Table
17/10/2007 - Vendor notified.
22/10/2007 - vendor-sec notified.
19/10/2007 - Vendor response.
07/11/2007 - Public disclosure.
======================================================================
7) Credits
Discovered by Alin Rad Pop, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following CVE identifiers:
* CVE-2007-4352 ("DCTStream::readProgressiveDataUnit()")
* CVE-2007-5392 ("DCTStream::reset()")
* CVE-2007-5393 ("CCITTFaxStream::lookChar()")
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://corporate.secunia.com/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://corporate.secunia.com/secunia_research/33/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/secunia_vacancies/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/secunia_security_advisories/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2007-88/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================