Mandrake Linux Security Advisory : tetex (MDKSA-2006:011)

This script is Copyright (C) 2006-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandrake Linux host is missing one or more security
updates.

Description :

Multiple heap-based buffer overflows in the
DCTStream::readProgressiveSOF and DCTStream::readBaselineSOF functions
in the DCT stream parsing code (Stream.cc) in xpdf 3.01 and earlier,
allow user-complicit attackers to cause a denial of service (heap
corruption) and possibly execute arbitrary code via a crafted PDF file
with an out-of-range number of components (numComps), which is used as
an array index. (CVE-2005-3191)

Heap-based buffer overflow in the StreamPredictor function in Xpdf
3.01 allows remote attackers to execute arbitrary code via a PDF file
with an out-of-range numComps (number of components) field.
(CVE-2005-3192)

Heap-based buffer overflow in the JPXStream::readCodestream function
in the JPX stream parsing code (JPXStream.c) for xpdf 3.01 and earlier
allows user-complicit attackers to cause a denial of service (heap
corruption) and possibly execute arbitrary code via a crafted PDF file
with large size values that cause insufficient memory to be allocated.
(CVE-2005-3193)

An additional patch re-addresses memory allocation routines in
goo/gmem.c (Martin Pitt/Canonical, Dirk Mueller/KDE).

In addition, Chris Evans discovered several other vulnerabilities in
the xpdf code base :

Out-of-bounds heap accesses with large or negative parameters to
'FlateDecode' stream. (CVE-2005-3192)

Out-of-bounds heap accesses with large or negative parameters to
'CCITTFaxDecode' stream. (CVE-2005-3624)

Infinite CPU spins in various places when stream ends unexpectedly.
(CVE-2005-3625)

NULL pointer crash in the 'FlateDecode' stream. (CVE-2005-3626)

Overflows of compInfo array in 'DCTDecode' stream. (CVE-2005-3627)

Possible to use index past end of array in 'DCTDecode' stream.
(CVE-2005-3627)

Possible out-of-bounds indexing trouble in 'DCTDecode' stream.
(CVE-2005-3627)

Tetex uses an embedded copy of the xpdf code, with the same
vulnerabilities.

The updated packages have been patched to correct these problems.

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 20477 (mandrake_MDKSA-2006-011.nasl)

Bugtraq ID:

CVE ID: CVE-2005-3191
CVE-2005-3192
CVE-2005-3193
CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
CVE-2005-3628

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now