CVE-2010-3704

Description

The FoFiType1::parse function in fofi/FoFiType1.cc in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PDF file with a crafted PostScript Type1 font that contains a negative array index, which bypasses input validation and triggers memory corruption.

Affected products

• foolabs / xpdf0.5a – 0.5a
• foolabs / xpdf3.02pl3 – 3.02pl3
• foolabs / xpdf3.02pl2 – 3.02pl2
• foolabs / xpdf3.02pl1 – 3.02pl1
• foolabs / xpdf3.0.1 – 3.0.1
• foolabs / xpdf1.00a – 1.00a
• foolabs / xpdf0.93c – 0.93c
• foolabs / xpdf0.93b – 0.93b
• foolabs / xpdf0.93a – 0.93a
• foolabs / xpdf0.92e – 0.92e
• foolabs / xpdf0.92d – 0.92d
• foolabs / xpdf0.92c – 0.92c
• foolabs / xpdf0.92b – 0.92b
• foolabs / xpdf0.92a – 0.92a
• foolabs / xpdf0.91c – 0.91c
• foolabs / xpdf0.91b – 0.91b
• foolabs / xpdf0.91a – 0.91a
• foolabs / xpdf0.7a – 0.7a
• glyphandcog / xpdfreader0.4 – 0.4
• glyphandcog / xpdfreader3.02
• glyphandcog / xpdfreader0.2 – 0.2
• glyphandcog / xpdfreader0.3 – 0.3
• glyphandcog / xpdfreader0.5 – 0.5
• glyphandcog / xpdfreader0.6 – 0.6
• glyphandcog / xpdfreader0.7 – 0.7
• glyphandcog / xpdfreader0.80 – 0.80
• glyphandcog / xpdfreader0.90 – 0.90
• glyphandcog / xpdfreader0.91 – 0.91
• glyphandcog / xpdfreader0.92 – 0.92
• glyphandcog / xpdfreader0.93 – 0.93
• glyphandcog / xpdfreader1.00 – 1.00
• glyphandcog / xpdfreader1.01 – 1.01
• glyphandcog / xpdfreader2.00 – 2.00
• glyphandcog / xpdfreader2.01 – 2.01
• glyphandcog / xpdfreader2.02 – 2.02
• glyphandcog / xpdfreader2.03 – 2.03
• glyphandcog / xpdfreader3.00 – 3.00
• glyphandcog / xpdfreader3.01 – 3.01
• glyphandcog / xpdfreader3.02 – 3.02
• KDE / kdegraphics
• poppler / poppler0.11.0 – 0.11.0
• poppler / poppler0.10.7 – 0.10.7
• poppler / poppler0.10.6 – 0.10.6
• poppler / poppler0.10.5 – 0.10.5
• poppler / poppler0.10.4 – 0.10.4
• poppler / poppler0.10.3 – 0.10.3
• poppler / poppler0.10.2 – 0.10.2
• poppler / poppler0.10.1 – 0.10.1
• poppler / poppler0.10.0 – 0.10.0
• poppler / poppler0.9.3 – 0.9.3
• poppler / poppler0.9.2 – 0.9.2
• poppler / poppler0.9.1 – 0.9.1
• poppler / poppler0.9.0 – 0.9.0
• poppler / poppler0.8.7 – 0.8.7
• poppler / poppler0.12.2 – 0.12.2
• poppler / poppler0.12.3 – 0.12.3
• poppler / poppler0.12.4 – 0.12.4
• poppler / poppler0.13.0 – 0.13.0
• poppler / poppler0.13.1 – 0.13.1
• poppler / poppler0.13.2 – 0.13.2
• poppler / poppler0.13.3 – 0.13.3
• poppler / poppler0.13.4 – 0.13.4
• poppler / poppler0.14.0 – 0.14.0
• poppler / poppler0.14.1 – 0.14.1
• poppler / poppler0.14.2 – 0.14.2
• poppler / poppler0.14.3 – 0.14.3
• poppler / poppler0.14.4 – 0.14.4
• poppler / poppler0.14.5 – 0.14.5
• poppler / poppler0.15.0 – 0.15.0
• poppler / poppler0.15.1 – 0.15.1
• poppler / poppler0.12.1 – 0.12.1
• poppler / poppler0.12.0 – 0.12.0
• poppler / poppler0.11.3 – 0.11.3
• poppler / poppler0.11.1 – 0.11.1
• poppler / poppler0.11.2 – 0.11.2

References

• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050285.html
• MAILING_LISThttp://www.openwall.com/lists/oss-security/2010/10/04/6
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/049392.html
• MISChttp://www.redhat.com/support/errata/RHSA-2010-0859.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/42357
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2010:228
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2011/0230
• MISChttp://www.redhat.com/support/errata/RHSA-2010-0752.html
• MISChttp://www.openoffice.org/security/cves/CVE-2010-3702_CVE-2010-3704.html
• MISChttps://bugzilla.redhat.com/show_bug.cgi?id=638960
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2010:230
• MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2010-11/msg00006.html
• MISChttp://cgit.freedesktop.org/poppler/poppler/commit/?id=39d140bfc0b8239bdd96d6a55842034ae5c05473
• MISCftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl5.patch
• MISChttp://rhn.redhat.com/errata/RHSA-2012-1201.html
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2010:231
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050390.html
• MISChttp://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.571720
• MISChttp://www.redhat.com/support/errata/RHSA-2010-0751.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/42397
• VENDOR_ADVISORYhttp://secunia.com/advisories/42141
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/049523.html
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2012:144
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/3097
• VENDOR_ADVISORYhttp://www.ubuntu.com/usn/USN-1005-1
• MISChttp://www.redhat.com/support/errata/RHSA-2010-0749.html
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2010-October/049545.html
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050268.html
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/2897
• VENDOR_ADVISORYhttp://secunia.com/advisories/42691
• VENDOR_ADVISORYhttp://www.debian.org/security/2010/dsa-2119
• MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2010:229
• MISChttp://www.securityfocus.com/bid/43841
• VENDOR_ADVISORYhttp://www.debian.org/security/2010/dsa-2135
• MISChttp://www.redhat.com/support/errata/RHSA-2010-0753.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/43079