CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
96.8%
Foolabs Xpdf contains a denial of service vulnerability caused by the t1lib
library incorrectly parsing Type 1 fonts.
According to Foolabs: _Xpdf is an open source viewer for Portable Document Format (PDF) files. (These are sometimes also called ‘Acrobat’ files, from the name of Adobe’s PDF software.) The Xpdf project also includes a PDF text extractor, PDF-to-PostScript converter, and various other utilities. _Foolabs Xpdf contains a denial of service vulnerability caused by the t1lib
library incorrectly parsing Type 1 fonts. This vulnerability may allow an attacker to execute arbitrary code.
A remote attacker can cause the device to crash and may be able to execute arbitrary code.
The vendor has stated they will stop using t1lib in their product and users should build Xpdf without t1lib.
To build Xpdf without t1lib, add the “–with-t1-library=no” flag to the
configure command:
./configure --with-t1-library=no …
To double-check, run “xpdf --help”. The “-freetype” option should be
listed, and the “-t1lib” option should NOT be listed. That indicates
that Xpdf was built with FreeType and without t1lib.
With this setting, Xpdf will use FreeType instead of t1lib to rasterize
Type 1 fonts. With recent versions of FreeType, the Type 1 quality is
as good or better than t1lib, so this should not present any problems.
376500
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 23, 2011 Updated: February 25, 2011
Affected
The vendor has stated they will stop using t1lib in their product and users should build Xpdf without t1lib.
To build Xpdf without t1lib, add the “–with-t1-library=no” flag to the
configure command:
./configure --with-t1-library=no …
To double-check, run “xpdf --help”. The “-freetype” option should be
listed, and the “-t1lib” option should NOT be listed. That indicates
that Xpdf was built with FreeType and without t1lib.
With this setting, Xpdf will use FreeType instead of t1lib to rasterize
Type 1 fonts. With recent versions of FreeType, the Type 1 quality is
as good or better than t1lib, so this should not present any problems.
We are not aware of further vendor information regarding this vulnerability.
Updated: March 21, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: March 21, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: March 21, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: March 21, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: March 21, 2011
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
<http://www.toucan-system.eu/advisories/tssa-2011-01.txt>
Thanks to Jonathan Brossard for reporting this vulnerability.
This document was written by Michael Orlando.
CVE IDs: | CVE-2011-0764 |
---|---|
Severity Metric: | 0.06 Date Public: |