tags 334454 + patch pending confirmed upstream stop BTW, this is Debian bug #334454. Forwarding my earlier mail to the bug. Please keep it in copy.
-- Loïc Minier <[EMAIL PROTECTED]>
--- Begin Message ---Hi, DSA 982-1 was announced without any CVE id. I went through the 2005 and 2006 CVEs for gpdf and found this: unstable stable CAN-2005-2097 VULNERABLE VULNERABLE CVE-2005-3191 2.10.0-2 2.8.2-1.2sarge2 CVE-2005-3192 2.10.0-2 2.8.2-1.2sarge2 CVE-2005-3624 2.10.0-2 2.8.2-1.2sarge2 CVE-2005-3625 2.10.0-2 2.8.2-1.2sarge2 CVE-2005-3626 2.10.0-2 2.8.2-1.2sarge2 CVE-2005-3627 2.10.0-2 2.8.2-1.2sarge2 CVE-2005-3628 2.10.0-2 2.8.2-1.2sarge2 CVE-2006-0301 2.10.0-3 2.8.2-1.2sarge3 ??? ??? 2.8.2-1.2sarge4 But I have no guarantee that I do not miss any additional vulns that were not attached to a CVE id in previous DSAs. I need your help to: 1) find out the CVEs of 2.8.2-1.2sarge4 (please allocate CVE ids or tell me which CVE ids are concerned by the fix in case I need to fix the unstable package again); it seems this might have been fixed in unstable with 2.10.0-3, but I can't tell for sure (perhaps you can?) 2) check the attached fix CAN-2005-2097 in stable; you seem to have fixed this for: kdegraphics 3.3.2-2sarge1 DSA-780-1 libextractor 0.4.2-2sarge2 DSA-936 xpdf and tetex-bin were not affected in stable I've found only the second of the two hunks of the attached "post-3.4.1-kdegraphics-4.diff" in gpdf 2.8.2-1.2sarge4, and it was vulnerable. I attach the proposed fix for stable, addressing CAN-2005-2097 in gpdf 2.8.2-1.2sarge4 (and making it gpdf 2.8.2-1.2sarge5), as gpdf_2.8.2-1.2sarge5.diff. If you agree with the fix, I'll apply the same fix to gpdf 2.10.0-3. (post-3.4.1-kdegraphics-4.diff is the only patch I've found for CAN-2005-2097, it might be incomplete, please let me know if you know of something better.) Bye, -- Loïc Minier <[EMAIL PROTECTED]>diff -u gpdf-2.8.2/debian/changelog gpdf-2.8.2/debian/changelog --- gpdf-2.8.2/debian/changelog +++ gpdf-2.8.2/debian/changelog @@ -1,3 +1,9 @@ +gpdf (2.8.2-1.2sarge5) stable-security; urgency=low + + * Backported fix for CAN-2005-2097. + + -- Loic Minier <[EMAIL PROTECTED]> Sat, 29 Jul 2006 16:54:48 +0200 + gpdf (2.8.2-1.2sarge4) stable-security; urgency=high * Non-maintainer upload by the Security Team only in patch2: unchanged: --- gpdf-2.8.2.orig/fofi/FoFiTrueType.cc +++ gpdf-2.8.2/fofi/FoFiTrueType.cc @@ -1343,6 +1343,26 @@ return; } + // make sure the loca table is sane (correct length and entries are + // in bounds) + i = seekTable("loca"); + if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) { + parsedOk = gFalse; + return; + } + for (j = 0; j <= nGlyphs; ++j) { + if (locaFmt) { + pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk); + } else { + pos = getU16BE(tables[i].offset + j*2, &parsedOk); + } + if (pos < 0 || pos > len) { + parsedOk = gFalse; + } + } + if (!parsedOk) { + return; + // read the post table readPostTable(); if (!parsedOk) {Index: kpdf/xpdf/xpdf/SplashOutputDev.cc =================================================================== --- kpdf/xpdf/xpdf/SplashOutputDev.cc (revision 439200) +++ kpdf/xpdf/xpdf/SplashOutputDev.cc (working copy) @@ -621,16 +621,19 @@ } break; case fontTrueType: - if (!(ff = FoFiTrueType::load(fileName->getCString()))) { - goto err2; + if ((ff = FoFiTrueType::load(fileName->getCString()))) { + codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff); + n = 256; + delete ff; + } else { + codeToGID = NULL; + n = 0; } - codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff); - delete ff; if (!(fontFile = fontEngine->loadTrueTypeFont( id, fileName->getCString(), fileName == tmpFileName, - codeToGID, 256))) { + codeToGID, n))) { error(-1, "Couldn't create a font for '%s'", gfxFont->getName() ? gfxFont->getName()->getCString() : "(unnamed)"); Index: kpdf/xpdf/fofi/FoFiTrueType.cc =================================================================== --- kpdf/xpdf/fofi/FoFiTrueType.cc (revision 439200) +++ kpdf/xpdf/fofi/FoFiTrueType.cc (working copy) @@ -1343,6 +1343,27 @@ return; } + // make sure the loca table is sane (correct length and entries are + // in bounds) + i = seekTable("loca"); + if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) { + parsedOk = gFalse; + return; + } + for (j = 0; j <= nGlyphs; ++j) { + if (locaFmt) { + pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk); + } else { + pos = getU16BE(tables[i].offset + j*2, &parsedOk); + } + if (pos < 0 || pos > len) { + parsedOk = gFalse; + } + } + if (!parsedOk) { + return; + } + // read the post table readPostTable(); if (!parsedOk) {
--- End Message ---

