Bug 30812

Assigning to all packagers collectively, since there is no registered maintainer for this package

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Author is active and responding to new reports, saying some fixes are implemented in next version.  Several threads in forum.
https://forum.xpdfreader.com/viewforum.php?f=3

CC: (none) => fri

Some more CVEs not listed on the upstream page in Comment 0:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41842
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41844

Summary: xpdf new security issues CVE-2022-30524 and CVE-2022-33108 => xpdf new security issues CVE-2022-30524, CVE-2022-33108, CVE-2022-38222, CVE-2022-4184[2-4]

*** Bug 32824 has been marked as a duplicate of this bug. ***

Sadly, there are so many CVEs fixed that the list does not fit into the CVE field of that bug.

Summary: xpdf new security issues CVE-2018-7453, CVE-2018-16369, CVE-2022-36561, CVE-2022-38222, CVE-2022-4184[34], CVE-2023-266[2-4], CVE-2023-3044, CVE-2023-3436 => xpdf CVE-2022-30524, CVE-2022-30775, CVE-2022-33108, CVE-2022-36561, CVE-2022-38171, CVE-2022-38222, CVE-2022-38334, CVE-2022-38928, CVE-2022-4184[2-4], CVE-2022-43071, CVE-2022-43295, CVE-2022-4558[67], CVE-2023-266[2-4], CVE-2023-3044, CVE-2023-3436
CVE: CVE-2018-7453, CVE-2018-16369, CVE-2022-36561, CVE-2022-38222, CVE-2022-41843, CVE-2022-41844, CVE-2023-2662, CVE-2023-2663, CVE-2023-2664, CVE-2023-3044, CVE-2023-3436 => CVE-2022-36561,CVE-2022-30524,CVE-2022-30775,CVE-2022-33108,CVE-2022-36561,CVE-2022-38171,CVE-2022-38222,CVE-2022-38334,CVE-2022-38928,CVE-2022-41842,CVE-2022-41843,CVE-2022-41844,CVE-2023-2662,CVE-2023-2663,CVE-2023-2664,CVE-2023-3044,CVE-2023-3436

Xpdf 4.05, released on February 8, fixes 19 security issues:
http://www.xpdfreader.com/security-fixes.html

CVE: CVE-2022-36561,CVE-2022-30524,CVE-2022-30775,CVE-2022-33108,CVE-2022-36561,CVE-2022-38171,CVE-2022-38222,CVE-2022-38334,CVE-2022-38928,CVE-2022-41842,CVE-2022-41843,CVE-2022-41844,CVE-2023-2662,CVE-2023-2663,CVE-2023-2664,CVE-2023-3044,CVE-2023-3436 => CVE-2022-36561,CVE-2022-30524,CVE-2022-30775,CVE-2022-33108,CVE-2022-36561,CVE-2022-38222,CVE-2022-38334,CVE-2022-38928,CVE-2022-41842,CVE-2022-41843,CVE-2022-41844,CVE-2022-43071,CVE-2023-2662,CVE-2023-2663,CVE-2023-2664,CVE-2023-3044,CVE-2023-3436
Summary: xpdf CVE-2022-30524, CVE-2022-30775, CVE-2022-33108, CVE-2022-36561, CVE-2022-38171, CVE-2022-38222, CVE-2022-38334, CVE-2022-38928, CVE-2022-4184[2-4], CVE-2022-43071, CVE-2022-43295, CVE-2022-4558[67], CVE-2023-266[2-4], CVE-2023-3044, CVE-2023-3436 => xpdf CVE-2022-30524, CVE-2022-30775, CVE-2022-33108, CVE-2022-36561, CVE-2022-38222, CVE-2022-38334, CVE-2022-38928, CVE-2022-4184[2-4], CVE-2022-43071, CVE-2022-43295, CVE-2022-4558[67], CVE-2023-266[2-4], CVE-2023-3044, CVE-2023-3436

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Logic bug in text extractor led to invalid memory access. (CVE-2022-30524)

Integer overflow in rasterizer. (CVE-2022-30775)

PDF object loop in Catalog::countPageTree. (CVE-2022-33108)

PDF object loop in AcroForm::scanField. (CVE-2022-36561)

Logic bug in JBIG2 decoder. (CVE-2022-38222)

PDF object loop in Catalog::countPageTree. (CVE-2022-38334)

Missing bounds check in CFF font converter caused null pointer dereference. (CVE-2022-38928)

PDF object loop in Catalog::countPageTree. (CVE-2022-41842)

Missing bounds check in CFF font parser caused invalid memory access. (CVE-2022-41843)

PDF object loop in AcroForm::scanField. (CVE-2022-41844)

PDF object loop in Catalog::readPageLabelTree2. (CVE-2022-43071)

PDF object loop in Catalog::countPageTree. (CVE-2022-43295)

PDF object loop in Catalog::countPageTree. (CVE-2022-45586)

PDF object loop in Catalog::countPageTree. (CVE-2022-45587)

Divide-by-zero in Xpdf 4.04 due to bad color space object. (CVE-2023-2662)

PDF object loop in Catalog::readPageLabelTree2. (CVE-2023-2663)

PDF object loop in Catalog::readEmbeddedFileTree. (CVE-2023-2664)

Divide-by-zero in Xpdf 4.04 due to very large page size. (CVE-2023-3044)

Deadlock in Xpdf 4.04 due to PDF object stream references. (CVE-203-3436)

References:
http://www.xpdfreader.com/security-fixes.html
========================

Updated packages in core/updates_testing:
========================
xpdf-4.05-1.mga9
xpdf-common-4.05-1.mga9

from SRPM:
xpdf-4.05-1.mga9.src.rpm

Version: Cauldron => 9
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

mga9-64 OK here

Plasma, nvidia545

Have not used this program for long, and never in this system.

Installed by drakrpm
- x11-font-adobe-100dpi-1.0.3-10.mga9.noarch   <--- dependency
- xpdf-4.04-2.mga9.x86_64
- xpdf-common-4.04-2.mga9.x86_64

Opened a pdf I recently generated by our LibreOffice, and also a manual I had fetched made by Acrobat Distiller 7.  View OK,  Print OK, search OK, etc...

Whiteboard: (none) => MGA9-64-OK

MGA9-32 Plasma on 64-bit hardware, using the server kernel. Installed the current version, then updated. No installation issues.

Loaded a pdf created years ago with OpenOffice, no issues. Loaded an old blank IRS tax form, filled in a few of the data spots, again no issues.

Looks good for 32-bits. Validating, because with all these CVEs it needs to go out ASAP.

Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0035.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED