Red Hat 9062 Published by

Fedora Legacy Update Advisory

Synopsis: Updated xpdf package fixes security issues
Advisory ID: FLSA:175404
Issue date: 2006-03-16
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2097 CVE-2005-3191 CVE-2005-3192
CVE-2005-3193 CVE-2005-3624 CVE-2005-3625
CVE-2005-3626 CVE-2005-3627 CVE-2005-3628
CVE-2006-0301
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

An updated xpdf package that fixes several security issues is now
available.

The xpdf package is an X Window System-based viewer for Portable
Document Format (PDF) files.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

A flaw was discovered in Xpdf in that an attacker could construct a
carefully crafted PDF file that would cause Xpdf to consume all
available disk space in /tmp when opened. The Common Vulnerabilities
and Exposures project assigned the name CVE-2005-2097 to this issue.

Several flaws were discovered in Xpdf. An attacker could construct a
carefully crafted PDF file that could cause Xpdf to crash or possibly
execute arbitrary code when opened. The Common Vulnerabilities and
Exposures project assigned the names CVE-2005-3191, CVE-2005-3192,
CVE-2005-3193, CVE-2005-3624, CVE-2005-3625, CVE-2005-3626,
CVE-2005-3627 and CVE-2005-3628 to these issues.

A heap based buffer overflow bug was discovered in Xpdf. An attacker
could construct a carefully crafted PDF file that could cause Xpdf to
crash or possibly execute arbitrary code when opened. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0301
to this issue.

Users of Xpdf should upgrade to this updated package, which contains
backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175404

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/xpdf-1.00-7.6.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/xpdf-2.01-11.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/xpdf-2.03-1.4.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/xpdf-2.03-1.4.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/xpdf-3.00-3.8.1.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/xpdf-3.01-0.FC3.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/xpdf-3.01-0.FC3.5.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/xpdf-3.01-0.FC3.5.legacy.x86_64.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

6096aa2b487e635ae3003cf246ec66d53dc81d41
redhat/7.3/updates/i386/xpdf-1.00-7.6.legacy.i386.rpm
e670899dd04a31d466d0ba2cc213763157a3b101
redhat/7.3/updates/i386/xpdf-chinese-simplified-1.00-7.6.legacy.i386.rpm
c636a2b79eb22afe35993466675e9fdd086a84f2
redhat/7.3/updates/i386/xpdf-chinese-traditional-1.00-7.6.legacy.i386.rpm
9a2bfe9e373cd20422a862f48d3d6ad787b7f0f1
redhat/7.3/updates/i386/xpdf-japanese-1.00-7.6.legacy.i386.rpm
bc47f11dea342606e74aff1a55cf74bd52783b60
redhat/7.3/updates/i386/xpdf-korean-1.00-7.6.legacy.i386.rpm
ace7a51b625269d9f5bd3355b07a842f0e1426f4
redhat/7.3/updates/SRPMS/xpdf-1.00-7.6.legacy.src.rpm

4fe0714cdf2194cf0426e15210cbe509d77b2788
redhat/9/updates/i386/xpdf-2.01-11.4.legacy.i386.rpm
c54fad904f475d693c781632dbadfae9434e4c87
redhat/9/updates/i386/xpdf-chinese-simplified-2.01-11.4.legacy.i386.rpm
1b6f0cf3f309515fd60b88576a1168f9d9bc7fe0
redhat/9/updates/i386/xpdf-chinese-traditional-2.01-11.4.legacy.i386.rpm
accef6df9ed9b1cee0e05fffa7e7dde085ae3f35
redhat/9/updates/i386/xpdf-japanese-2.01-11.4.legacy.i386.rpm
69a7ae59cb1ddb5b422eccdec53711f459939c3f
redhat/9/updates/i386/xpdf-korean-2.01-11.4.legacy.i386.rpm
090ddacf36dc0180c16cef8526aedc9bb9c5225c
redhat/9/updates/SRPMS/xpdf-2.01-11.4.legacy.src.rpm

0349626a79f659adc0590938b99a6097f6898f10
fedora/1/updates/i386/xpdf-2.03-1.4.legacy.i386.rpm
8612ba60a89cfb0ef195450d1c927487b868deec
fedora/1/updates/SRPMS/xpdf-2.03-1.4.legacy.src.rpm

f60fc20854386ef91f6769aabd29f3a77e29084d
fedora/2/updates/i386/xpdf-3.00-3.8.1.legacy.i386.rpm
64139c039afc0af67eadcc8c87e03aed6c6254d0
fedora/2/updates/SRPMS/xpdf-3.00-3.8.1.legacy.src.rpm

268cba4fb5fd62699595cdeed78375f324c874f6
fedora/3/updates/i386/xpdf-3.01-0.FC3.5.legacy.i386.rpm
021ec4bb4d86192a519261b3073a3d348e4fa14a
fedora/3/updates/x86_64/xpdf-3.01-0.FC3.5.legacy.x86_64.rpm
3e139055107af9057062154add60191331765e43
fedora/3/updates/SRPMS/xpdf-3.01-0.FC3.5.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0301

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org