Bug#291251: CAN-2005-0064: Arbitrary code execution in kpdf

To: submit@bugs.debian.org
Subject: Bug#291251: CAN-2005-0064: Arbitrary code execution in kpdf
From: Martin Schulze <joey@infodrom.org>
Date: Wed, 19 Jan 2005 17:47:32 +0100
Message-id: <[🔎] 20050119164732.GH927@finlandia.infodrom.north.de>
Reply-to: Martin Schulze <joey@infodrom.org>, 291251@bugs.debian.org

Package: kpdf
Severity: grave
Tags: security sarge sid

This problem also affects kpdf:

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0064

Reference: IDEFENSE:20050118 Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflow
Reference: URL:http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities
Reference: CONFIRM:ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch

Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc
for xpdf 3.00 and earlier allows remote attackers to execute arbitrary
code via a PDF file with a large /Encrypt /Length keyLength value.

You'll find the patch in the source of xpdf 3.00-12 which I'm attaching.

Regards,

	Joey

-- 
Ten years and still binary compatible.  -- XFree86

Please always Cc to me when replying to me on the lists.

diff -u xpdf-3.00/debian/changelog xpdf-3.00/debian/changelog
--- xpdf-3.00/debian/changelog
+++ xpdf-3.00/debian/changelog
@@ -1,3 +1,12 @@
+xpdf (3.00-12) unstable; urgency=high
+
+  * SECURITY UPDATE: Fixed buffer overflow that could overwrite the stack 
+    and hence cause the execution of arbitrary code as reported by 
+    iDEFENSE (xpdf/Decrypt.cc)
+  * References: CAN-2005-0064
+
+ -- Hamish Moffatt <hamish@debian.org>  Wed, 19 Jan 2005 23:48:56 +1100
+
 xpdf (3.00-11) unstable; urgency=high
 
   * SECURITY UPDATE: fix potential buffer overflow
only in patch2:
--- xpdf-3.00.orig/xpdf/Decrypt.cc
+++ xpdf-3.00/xpdf/Decrypt.cc
@@ -73,6 +73,11 @@
   Guchar fx, fy;
   int len, i, j;
 
+  // check whether we have non-zero keyLength
+  if ( !keyLength ) {
+    return gFalse;
+  }
+
   // try using the supplied owner password to generate the user password
   *ownerPasswordOk = gFalse;
   if (ownerPassword) {
@@ -98,7 +103,7 @@
     } else {
       memcpy(test2, ownerKey->getCString(), 32);
       for (i = 19; i >= 0; --i) {
-	for (j = 0; j < keyLength; ++j) {
+	for (j = 0; j < keyLength && j < 16; ++j) {
 	  tmpKey[j] = test[j] ^ i;
 	}
 	rc4InitKey(tmpKey, keyLength, fState);
@@ -135,6 +140,11 @@
   int len, i, j;
   GBool ok;
 
+  // check whether we have non-zero keyLength
+  if ( !keyLength ) {
+    return gFalse;
+  }
+
   // generate file key
   buf = (Guchar *)gmalloc(68 + fileID->getLength());
   if (userPassword) {
@@ -172,7 +182,7 @@
   } else if (encRevision == 3) {
     memcpy(test, userKey->getCString(), 32);
     for (i = 19; i >= 0; --i) {
-      for (j = 0; j < keyLength; ++j) {
+      for (j = 0; j < keyLength && j < 16; ++j) {
 	tmpKey[j] = fileKey[j] ^ i;
       }
       rc4InitKey(tmpKey, keyLength, fState);

Reply to:

Follow-Ups:
- Bug#291251: marked as done (CAN-2005-0064: Arbitrary code execution in kpdf)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#291239: KDM ignores host aliases in Xaccess
Next by Date: Bug#288754: Fixed in 3.3.2-0pre1
Previous by thread: Bug#291239: KDM ignores host aliases in Xaccess
Next by thread: Bug#291251: marked as done (CAN-2005-0064: Arbitrary code execution in kpdf)
Index(es):
- Date
- Thread