FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

xpdf -- makeFileKey2() buffer overflow vulnerability

Affected packages
xpdf < 3.00_6
kdegraphics < 3.3.2_2
gpdf < 2.8.3
teTeX-base < 2.0.2_9
cups-base <
koffice < 1.3.5_2,1
pdftohtml < 0.36_2


VuXML ID f755545e-6fcd-11d9-abec-00061bd2d56f
Discovery 2005-01-06
Entry 2005-01-26
Modified 2005-02-03

An iDEFENSE Security Advisory reports:

Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer included in multiple Unix and Linux distributions could allow for arbitrary code execution as the user viewing a PDF file.

The vulnerability specifically exists due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. The offending code can be found in the Decrypt::makeFileKey2 function in the source file xpdf/


CVE Name CVE-2005-0064