SB2019032516 - Multiple vulnerabilities in Xpdf
Published: March 25, 2019 Updated: July 29, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 21 secuirty vulnerabilities.
1) Resource management error (CVE-ID: CVE-2019-10018)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a floating point exception within the PostScriptFunction::exec() function in Function.cc for the psOpIdiv case. A remote attacker can create a specially crafted PDF file, pass it to the application and perform denial of service attack.
2) Out-of-bounds read (CVE-ID: CVE-2019-12360)
The vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a boundary condition within the FoFiTrueType::dumpString() function in fofi/FoFiTrueType.cc. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger stack-based out-of-bounds read error and crash the application.
3) Out-of-bounds read (CVE-ID: CVE-2019-12493)
The vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the PostScriptFunction::transform() function in Function.cc. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger stack-based out-of-bounds read error and crash the application.
4) Out-of-bounds read (CVE-ID: CVE-2019-14293)
The vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a boundary condition within the GfxPatchMeshShading::parse() function in GfxState.cc for typeA!=6 case 2. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
5) Out-of-bounds read (CVE-ID: CVE-2019-12515)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the function FlateStream::getChar() located at Stream.cc. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
6) Out-of-bounds read (CVE-ID: CVE-2019-12958)
The vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the FoFiType1C::convertToType0() function in fofi/FoFiType1C.cc. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
7) Out-of-bounds read (CVE-ID: CVE-2019-12957)
The vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the FoFiType1C::convertToType1() function in fofi/FoFiType1C.cc. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
8) Out-of-bounds read (CVE-ID: CVE-2019-13283)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the FoFiType1::parse() function in fofi/FoFiType1.cc, when processing PDF files. A remote attacker can perform a denial of service attack.
9) Out-of-bounds read (CVE-ID: CVE-2019-13282)
The vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the SampledFunction::transform() function in Function.cc. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
10) Heap-based buffer overflow (CVE-ID: CVE-2019-13281)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the DCTStream::decodeImage() function in Stream.cc. A remote attacker can create a specially crafted PDF file, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Out-of-bounds read (CVE-ID: CVE-2019-13291)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the function DCTStream::readScan() in Stream.cc. A remote attacker can perform a denial of service attack.
12) Use-after-free (CVE-ID: CVE-2019-13289)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the JBIG2Stream::close() function in JBIG2Stream.cc. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
13) Infinite loop (CVE-ID: CVE-2019-13288)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the Parser::getObj() function in Parser.cc when processing PDF files. A remote attacker can consume all available system resources and cause denial of service conditions.
14) Out-of-bounds read (CVE-ID: CVE-2019-13287)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the function SplashXPath::strokeAdjust() in splash/SplashXPath.cc. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system or crash the application.
15) Out-of-bounds read (CVE-ID: CVE-2019-13286)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the function JBIG2Stream::readTextRegionSeg() located at JBIG2Stream.cc. A remote attacker can perform a denial of service attack.
16) Out-of-bounds read (CVE-ID: CVE-2019-14292)
The vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a boundary condition within the GfxPatchMeshShading::parse function in GfxState.cc for typeA!=6 case 1. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
17) Out-of-bounds read (CVE-ID: CVE-2019-14291)
The vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a boundary condition within the GfxPatchMeshShading::parse function in GfxState.cc for typeA==6 case 3. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
18) Out-of-bounds read (CVE-ID: CVE-2019-14290)
The vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a boundary condition within the GfxPatchMeshShading::parse function in GfxState.cc for typeA==6 case 2. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
19) Integer overflow (CVE-ID: CVE-2019-14289)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the JBIG2Bitmap::combine in JBIG2Stream.cc for the "multiple bytes per line" case. A remote attacker can create a specially crafted PDF file, pass it to the affected application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
20) Integer overflow (CVE-ID: CVE-2019-14288)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the JBIG2Bitmap::combine in JBIG2Stream.cc for the "one byte per line" case. A remote attacker can create a specially crafted PDF file, pass it to the affected application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
21) Out-of-bounds read (CVE-ID: CVE-2019-14294)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processing PDF files within the JPXStream::fillReadBuf() function in JPXStream.cc. A remote attacker can create a specially crafted PDF file, pass it to the affected application, trigger out-of-bounds read error and perform denial of service attack.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41276
- https://usn.ubuntu.com/4042-1/
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41801
- https://lists.debian.org/debian-lts-announce/2019/06/msg00002.html
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41806
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41851
- https://github.com/TeamSeri0us/pocs/tree/master/xpdf/4.01.01
- https://github.com/PanguL4b/pocs/tree/master/xpdf/out-of-bounds-read-in-FlateStream__getChar
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41815
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41813
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41843
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41842
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41841
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41818
- https://github.com/PanguL4b/pocs/tree/master/xpdf/heap-use-after-free_JBIG2Stream
- https://github.com/PanguL4b/pocs/tree/master/xpdf/stack-overflow_dos_Parser__getObj
- https://github.com/PanguL4b/pocs/tree/master/xpdf/out-of-bounds-read-in-SplashXPath__strokeAdjust
- https://github.com/PanguL4b/pocs/tree/master/xpdf/heap-buffer-overflow_JBIG2Stream__readTextRegionSeg
- https://forum.xpdfreader.com/viewtopic.php?f=3&t=41851