Xpdf 4.04, released on April 18, fixes three security issues: http://www.xpdfreader.com/security-fixes.html It also lists two "will be fixed" issues that may not have fixes available yet, so we'll need to file another bug for those: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30524 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33108
Suggested advisory: ======================== The updated packages fix security vulnerabilities: In Xpdf prior to 4.04, the DCT (JPEG) decoder was incorrectly allowing the 'interleaved' flag to be changed after the first scan of the image, leading to an unknown integer-related vulnerability in Stream.cc. (CVE-2022-24106) Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc. (CVE-2022-24107) Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. (CVE-2022-38171) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24106 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24107 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38171 http://www.xpdfreader.com/security-fixes.html ======================== Updated packages in core/updates_testing: ======================== xpdf-4.04-1.mga8 xpdf-common-4.04-1.mga8 from SRPM: xpdf-4.04-1.mga8.src.rpm
CVE: (none) => CVE-2022-24106, CVE-2022-24107, CVE-2022-38171Status: NEW => ASSIGNEDAssignee: nicolas.salguero => qa-bugsCC: (none) => nicolas.salguero
Blocks: (none) => 30812
Installed cleanly. Opened a couple pdf files. Used different view modes. Saved a page as jpeg. Printed a document to Boomaga. Tried internet link, browser opens No localisation (not Swedish anyway) Not optimally adapted to Plasma which I use: § Clicking internet link in pdf, chromium opens (running Plasma, my default browser is Firefox, but maybe some other DE i installed have chromium as preference) § After having saved, I need to tell Dolphin to update to see the file. But this is OK, I think. Nothing to worry about in output in terminal from where i started it. Plasma, 4K screen, nvidia-current and kernel from backport.
CC: (none) => friWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Some more background on this, including PoC information for CVE-2022-38171: https://www.openwall.com/lists/oss-security/2022/09/02/11
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0320.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
Blocks: (none) => 32824