Lucene search

Gentoo FoundationMGASA-2024-0035

HistoryFeb 10, 2024 - 10:02 p.m.

Updated xpdf packages fix security vulnerabilities

2024-02-1022:02:27

Gentoo Foundation

advisories.mageia.org

xpdf

security vulnerabilities

text extractor

rasterizer

jbig2 decoder

pdf object loops

memory access

integer overflow

bounds check

deadlock

cve-2022

cve-2023

unix

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

Low

EPSS

0.001

Percentile

51.2%

JSON

The updated packages fix security vulnerabilities: Logic bug in text extractor led to invalid memory access. (CVE-2022-30524) Integer overflow in rasterizer. (CVE-2022-30775) PDF object loop in Catalog::countPageTree. (CVE-2022-33108) PDF object loop in AcroForm::scanField. (CVE-2022-36561) Logic bug in JBIG2 decoder. (CVE-2022-38222) PDF object loop in Catalog::countPageTree. (CVE-2022-38334) Missing bounds check in CFF font converter caused null pointer dereference. (CVE-2022-38928) PDF object loop in Catalog::countPageTree. (CVE-2022-41842) Missing bounds check in CFF font parser caused invalid memory access. (CVE-2022-41843) PDF object loop in AcroForm::scanField. (CVE-2022-41844) PDF object loop in Catalog::readPageLabelTree2. (CVE-2022-43071) PDF object loop in Catalog::countPageTree. (CVE-2022-43295) PDF object loop in Catalog::countPageTree. (CVE-2022-45586) PDF object loop in Catalog::countPageTree. (CVE-2022-45587) Divide-by-zero in Xpdf 4.04 due to bad color space object. (CVE-2023-2662) PDF object loop in Catalog::readPageLabelTree2. (CVE-2023-2663) PDF object loop in Catalog::readEmbeddedFileTree. (CVE-2023-2664) Divide-by-zero in Xpdf 4.04 due to very large page size. (CVE-2023-3044) Deadlock in Xpdf 4.04 due to PDF object stream references. (CVE-203-3436)

OSVersionArchitecturePackageVersionFilename
Mageia9noarchxpdf< 4.05-1xpdf-4.05-1.mga9

OS	Version	Architecture	Package	Version	Filename
Mageia	9	noarch	xpdf	< 4.05-1	xpdf-4.05-1.mga9

References

www.xpdfreader.com/security-fixes.html

bugs.mageia.org/show_bug.cgi?id=30812

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

Low

EPSS

0.001

Percentile

51.2%

JSON

Related for MGASA-2024-0035