Bug 30804

Summary: xpdf new security issues CVE-2022-2410[67] and CVE-2022-38171
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, fri, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: xpdf-4.03-1.mga8.src.rpm CVE: CVE-2022-24106, CVE-2022-24107, CVE-2022-38171
Status comment:
Bug Depends on:    
Bug Blocks: 30812, 32824    

Description David Walser 2022-09-02 18:24:07 CEST 
Xpdf 4.04, released on April 18, fixes three security issues:
http://www.xpdfreader.com/security-fixes.html

It also lists two "will be fixed" issues that may not have fixes available yet, so we'll need to file another bug for those:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30524
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33108
Comment 1 Nicolas Salguero 2022-09-04 21:45:59 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

In Xpdf prior to 4.04, the DCT (JPEG) decoder was incorrectly allowing the 'interleaved' flag to be changed after the first scan of the image, leading to an unknown integer-related vulnerability in Stream.cc. (CVE-2022-24106)

Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc. (CVE-2022-24107)

Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. (CVE-2022-38171)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24106
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24107
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38171
http://www.xpdfreader.com/security-fixes.html
========================

Updated packages in core/updates_testing:
========================
xpdf-4.04-1.mga8
xpdf-common-4.04-1.mga8

from SRPM:
xpdf-4.04-1.mga8.src.rpm

CVE: (none) => CVE-2022-24106, CVE-2022-24107, CVE-2022-38171
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
CC: (none) => nicolas.salguero

David Walser 2022-09-05 00:03:44 CEST

Blocks: (none) => 30812

Comment 2 Morgan Leijström 2022-09-05 00:55:09 CEST 
Installed cleanly.
Opened a couple pdf files.
Used different view modes.
Saved a page as jpeg.
Printed a document to Boomaga.
Tried internet link, browser opens

No localisation (not Swedish anyway)

Not optimally adapted to Plasma which I use:
§ Clicking internet link in pdf, chromium opens (running Plasma, my default browser is Firefox, but maybe some other DE i installed have chromium as preference)
§ After having saved, I need to tell Dolphin to update to see the file.

But this is OK, I think.

Nothing to worry about in output in terminal from where i started it.

Plasma, 4K screen, nvidia-current and kernel from backport.

CC: (none) => fri
Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2022-09-05 02:35:02 CEST 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 David Walser 2022-09-06 14:30:14 CEST 
Some more background on this, including PoC information for CVE-2022-38171:
https://www.openwall.com/lists/oss-security/2022/09/02/11
Dave Hodgins 2022-09-07 05:19:16 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-09-07 07:29:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0320.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Nicolas Salguero 2024-02-09 10:23:00 CET

Blocks: (none) => 32824