USN-163-1: xpdf vulnerability

10 August 2005

xpdf vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.04
  • Ubuntu 4.10

Software Description

Details

xpdf and kpdf did not sufficiently verify the validity of the “loca” table in PDF files, a table that contains glyph description information for embedded TrueType fonts. After detecting the broken table, xpdf attempted to reconstruct the information in it, which caused the generation of a huge temporary file that quickly filled up available disk space and rendered the application unresponsive.

The CUPS printing system in Ubuntu 5.04 uses the xpdf-utils package to convert PDF files to PostScript. By attempting to print such a crafted PDF file, a remote attacker could cause a Denial of Service in a print server. The CUPS system in Ubuntu 4.10 is not vulnerable against this attack.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.04
kpdf
xpdf-reader
xpdf-utils
Ubuntu 4.10
kpdf
xpdf-reader
xpdf-utils

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References