Bug#1011333: /usr/bin/pdftosrc: CVE-2021-27548 - null-pointer deference in XFAScanner::scanNode used by pdftosrc
Package: texlive-binaries
Version: 2022.20220321.62855-1
Severity: important
File: /usr/bin/pdftosrc
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>
texlive-binaries in unstable, experimental and bookworm embeds
xpdfreader 4.03 and the code is exposed via the pdftosrc binary.
The PoC file from the CVE triggers a segmentation fault in pdftosrc.
pdftosrc from bullseye (correctly) reports a broken PDF without
crashing as texlive-binaries in bullseye embeds xpdfreader 4.02.
https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/ChangeLog/
https://sources.debian.org/src/texlive-bin/2021.20210626.59705-1/libs/xpdf/xpdf-src/xpdf/XFAScanner.cc/?hl=243#L243
The following vulnerability was published for texlive-binaries.
CVE-2021-27548[0]:
| There is a Null Pointer Dereference vulnerability in the
| XFAScanner::scanNode() function in XFAScanner.cc in xpdf 4.03.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-27548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27548
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-2-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages texlive-binaries depends on:
ii libc6 2.34-0experimental2
ii libcairo2 1.16.0-5
ii libfontconfig1 2.13.1-4.4
ii libfreetype6 2.12.1+dfsg-1
ii libgcc-s1 12.1.0-2
ii libgraphite2-3 1.3.14-1
ii libharfbuzz0b 2.7.4-1+b1
ii libicu71 71.1-3
ii libkpathsea6 2022.20220321.62855-1
ii libmpfr6 4.1.0-3
ii libpaper1 1.1.28+b1
ii libpixman-1-0 0.40.0-1
ii libpng16-16 1.6.37-5
ii libptexenc1 2022.20220321.62855-1
ii libstdc++6 12.1.0-2
ii libsynctex2 2022.20220321.62855-1
ii libteckit0 2.5.11+ds1-1
ii libtexlua53 2022.20220321.62855-1
ii libtexluajit2 2022.20220321.62855-1
ii libx11-6 2:1.7.5-1
ii libxaw7 2:1.0.14-1
ii libxi6 2:1.8-1
ii libxmu6 2:1.1.3-3
ii libxpm4 1:3.5.12-1
ii libxt6 1:1.2.1-1
ii libzzip-0-13 0.13.72+dfsg.1-1.1
ii perl 5.34.0-4
ii t1utils 1.41-4
ii tex-common 6.17
ii zlib1g 1:1.2.11.dfsg-4
Versions of packages texlive-binaries recommends:
ii dvisvgm 2.13.4-1
ii texlive-base 2021.20220204-1
texlive-binaries suggests no packages.
-- no debconf information
Reply to: