USN-163-1: xpdf vulnerability
10 August 2005
xpdf vulnerability
Releases
Details
xpdf and kpdf did not sufficiently verify the validity of the "loca"
table in PDF files, a table that contains glyph description
information for embedded TrueType fonts. After detecting the broken
table, xpdf attempted to reconstruct the information in it, which
caused the generation of a huge temporary file that quickly filled up
available disk space and rendered the application unresponsive.
The CUPS printing system in Ubuntu 5.04 uses the xpdf-utils package to
convert PDF files to PostScript. By attempting to print such a crafted
PDF file, a remote attacker could cause a Denial of Service in a print
server. The CUPS system in Ubuntu 4.10 is not vulnerable against this
attack.
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 5.04
-
xpdf-utils
-
-
xpdf-reader
-
-
kpdf
-
Ubuntu 4.10
-
xpdf-utils
-
-
xpdf-reader
-
-
kpdf
-
In general, a standard system update will make all the necessary changes.