xpdf, cups, poppler etc. CVE-2010-3702 CVE-2010-3704

[damNageHack]

For your interest. Although it is not [yet] a direct Salix but mostly a Slackware package, please be warned.
Hopefully, there will be soon an official fixed package available

https://rhn.redhat.com/errata/RHSA-2010-0751.html

An updated xpdf package that fixes two security issues is now available for
Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Xpdf is an X Window System based viewer for Portable Document Format (PDF)
files.

An uninitialized pointer use flaw was discovered in Xpdf. An attacker could
create a malicious PDF file that, when opened, would cause Xpdf to crash
or, potentially, execute arbitrary code. (CVE-2010-3702)

An array index error was found in the way Xpdf parsed PostScript Type 1
fonts embedded in PDF documents. An attacker could create a malicious PDF
file that, when opened, would cause Xpdf to crash or, potentially, execute
arbitrary code. (CVE-2010-3704)

Users are advised to upgrade to this updated package, which contains
backported patches to correct these issues.

EDIT
poppler, CUPS, gpdf und KPDF are also affected

EDIT2
libpoppler seems to be the bad guy so far

[caitlyn]

I'm actually surprised their is no updated Slackware package yet. Slackware is usually very prompt about getting security updates out.

[damNageHack]

More curious than that Slackware has no update yet, it is that:
<Offtopic>There is no update for Fedora 13 either, but one for both Fedora 14 and 15.</Offtopic>

Slackware seems to stick also with the buggy version 0.12 of poppler. Version 0.14 seems to have the fix in it.

Two files are concerned:
http://cgit.freedesktop.org/poppler/pop ... 0e2b257773
http://cgit.freedesktop.org/poppler/pop ... 522531b25c

[thenktor]

More curious than that Slackware has no update yet, it is that:
<Offtopic>There is no update for Fedora 13 either, but one for both Fedora 14 and 15.</Offtopic>

What is Fedora?

[damNageHack]

What is Fedora?

Sorry, but your question can not be honest.

Fedora Restaurant & Lounge brings mouth-watering, bona fide Italian flavors to the sexy, 1940s feel of the Arts Districts' most authentic and delectable piece of Northern Italy.
(...)
Let Chef Jordan personalize the experience, changing the dishes to your tastes and treating you to a delectable dining experience based on years of classical training and a talent for fine cuisine. Buon Appetito!

[caitlyn]

What is Fedora?

A distro that is so cutting edge it almost always has breakage It's the development environment and test bed for a very nice, very stable distro called Red Hat Enterprise Linux. Fedora is not something I'd want to run on a regular basis, but that's just me.

[zAchAry]

Mazal Tov!

[A-1432] SSA:2010-324-01 & SSA:2010-324-02 (via: Space_J (spacej)'s status on Sunday, 21-Nov-10 06:44:09 UTC - Identi.ca)


[slackware-security] xpdf (SSA:2010-324-01)

New xpdf packages are available for Slackware 9.1, 10.0, 10.1, 10.2, 11.0, 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues.

Code: Select all

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.571720

[slackware-security] poppler (SSA:2010-324-02)

New poppler packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix security issues.

Code: Select all

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.475147

Edit:

What is Fedora?

It iz aon Linux-based Opareting Sistam from some Mafia and haz teh wery cewl featcha that can has made yo screen into a tutch screen thingy, cee zat.