Bug#291251: CAN-2005-0064: Arbitrary code execution in kpdf
Package: kpdf
Severity: grave
Tags: security sarge sid
This problem also affects kpdf:
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064
Reference: IDEFENSE:20050118 Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflow
Reference: URL:http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities
Reference: CONFIRM:ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch
Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc
for xpdf 3.00 and earlier allows remote attackers to execute arbitrary
code via a PDF file with a large /Encrypt /Length keyLength value.
You'll find the patch in the source of xpdf 3.00-12 which I'm attaching.
Regards,
Joey
--
Ten years and still binary compatible. -- XFree86
Please always Cc to me when replying to me on the lists.
diff -u xpdf-3.00/debian/changelog xpdf-3.00/debian/changelog
--- xpdf-3.00/debian/changelog
+++ xpdf-3.00/debian/changelog
@@ -1,3 +1,12 @@
+xpdf (3.00-12) unstable; urgency=high
+
+ * SECURITY UPDATE: Fixed buffer overflow that could overwrite the stack
+ and hence cause the execution of arbitrary code as reported by
+ iDEFENSE (xpdf/Decrypt.cc)
+ * References: CAN-2005-0064
+
+ -- Hamish Moffatt <hamish@debian.org> Wed, 19 Jan 2005 23:48:56 +1100
+
xpdf (3.00-11) unstable; urgency=high
* SECURITY UPDATE: fix potential buffer overflow
only in patch2:
--- xpdf-3.00.orig/xpdf/Decrypt.cc
+++ xpdf-3.00/xpdf/Decrypt.cc
@@ -73,6 +73,11 @@
Guchar fx, fy;
int len, i, j;
+ // check whether we have non-zero keyLength
+ if ( !keyLength ) {
+ return gFalse;
+ }
+
// try using the supplied owner password to generate the user password
*ownerPasswordOk = gFalse;
if (ownerPassword) {
@@ -98,7 +103,7 @@
} else {
memcpy(test2, ownerKey->getCString(), 32);
for (i = 19; i >= 0; --i) {
- for (j = 0; j < keyLength; ++j) {
+ for (j = 0; j < keyLength && j < 16; ++j) {
tmpKey[j] = test[j] ^ i;
}
rc4InitKey(tmpKey, keyLength, fState);
@@ -135,6 +140,11 @@
int len, i, j;
GBool ok;
+ // check whether we have non-zero keyLength
+ if ( !keyLength ) {
+ return gFalse;
+ }
+
// generate file key
buf = (Guchar *)gmalloc(68 + fileID->getLength());
if (userPassword) {
@@ -172,7 +182,7 @@
} else if (encRevision == 3) {
memcpy(test, userKey->getCString(), 32);
for (i = 19; i >= 0; --i) {
- for (j = 0; j < keyLength; ++j) {
+ for (j = 0; j < keyLength && j < 16; ++j) {
tmpKey[j] = fileKey[j] ^ i;
}
rc4InitKey(tmpKey, keyLength, fState);
Reply to: