Technical Description

Multiple vulnerabilities have been identified in Xpdf, which could be exploited by attackers to cause a denial of service or compromise a vulnerable system. These issues are caused by buffer and integer overflows, and memory corruption errors in the "xpdf/JBIG2Stream.cc" file when processing specially crafted data, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a malicious PDF file.

Affected Products

Xpdf versions prior to 3.02pl3

Solution

Apply patch 3.02pl3 :
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl3.patch

References

http://www.vupen.com/english/advisories/2009/1065
https://rhn.redhat.com/errata/RHSA-2009-0430.html

Credits

Vulnerabilities reported by Braden Thomas, Drew Yao (Apple Product Security team), and Will Dormann (CERT/CC).

ChangeLog

2009-04-17 : Initial release
2009-05-15 : Updated References

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts with CVE, CWE, and CVSS when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.