Bug 11061 - xpdf new security issue CVE-2012-2142
Summary: xpdf new security issue CVE-2012-2142
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/564412/
Whiteboard: MGA2TOO MGA3-32-OK MGA3-64-OK mga2-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-08-22 19:43 CEST by David Walser
Modified: 2013-08-26 21:56 CEST (History)
4 users (show)

See Also:
Source RPM: xpdf-3.03-2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-08-22 19:43:29 CEST
Slackware has issued an advisory on August 21:
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.496284

Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron.

This issue also affects poppler, but it was already fixed upstream in the versions we have in Mageia 3 and Cauldron.  The issue does not affect the version of poppler that we have in Mageia 2.

Advisory:
========================

Updated xpdf packages fix security vulnerability:

PDF files could be used to inject shell code when xpdf was run from some
terminal emulators, due to the use of escape sequences in error messages
(CVE-2012-2142).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2142
https://bugzilla.redhat.com/show_bug.cgi?id=789936
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.496284
========================

Updated packages in core/updates_testing:
========================
xpdf-3.03-2.1.mga2
libxpdf0-3.03-2.1.mga2
libxpdf-devel-3.03-2.1.mga2
xpdf-common-3.03-2.1.mga2
xpdf-3.03-4.1.mga3
libxpdf0-3.03-4.1.mga3
libxpdf-devel-3.03-4.1.mga3
xpdf-common-3.03-4.1.mga3

from SRPMS:
xpdf-3.03-2.1.mga2.src.rpm
xpdf-3.03-4.1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-08-22 19:43:38 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 Dave Hodgins 2013-08-22 21:23:19 CEST
Advisory 11061.adv uploaded to svn.

CC: (none) => davidwhodgins

Comment 2 William Kenney 2013-08-23 01:49:18 CEST
MGA3-32-OK test ok

in VirtualBox

default install xpdf-3.03-4.mga3.i586 from core release
[root@localhost wilcal]# urpmi xpdf
Package xpdf-3.03-4.mga3.i586 is already installed

Launch xpdf from a terminal and display a test.pdf, all seems fine.

install xpdf-3.03-4.1.mga3.i586 from core updates_testing
[root@localhost Downloads]# urpmi xpdf
Package xpdf-3.03-4.1.mga3.i586 is already installed

Launch xpdf from a terminal and display a test.pdf, all seems fine.
Launch xpdf from the Menu launcher and display a test.pdf file, all seems fine.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

CC: (none) => wilcal.int
Whiteboard: MGA2TOO => MGA2TOO MGA3-32-OK

Comment 3 William Kenney 2013-08-23 01:49:59 CEST
MGA3-64-OK test ok

in VirtualBox

default install xpdf-3.03-4.mga3.x86_64 from core release
[root@localhost wilcal]# urpmi xpdf
Package xpdf-3.03-4.mga3.x86_64 is already installed

Launch xpdf from a terminal and display a test.pdf, all seems fine.

install xpdf-3.03-4.1.mga3.x86_64 from core updates_testing
[root@localhost Documents]# urpmi xpdf
Package xpdf-3.03-4.1.mga3.x86_64 is already installed

Launch xpdf from a terminal and display a test.pdf, all seems fine.
Launch xpdf from the Menu launcher and display a test.pdf file, all seems fine.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
William Kenney 2013-08-23 01:50:17 CEST

Whiteboard: MGA2TOO MGA3-32-OK => MGA2TOO MGA3-32-OK MGA3-64-OK

Comment 4 claire robinson 2013-08-23 14:15:25 CEST
Testing complete mga2 32 & 64

Validating.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO MGA3-32-OK MGA3-64-OK => MGA2TOO MGA3-32-OK MGA3-64-OK mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2013-08-26 21:56:23 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0261.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.