|
|
Log in / Subscribe / Register

Arch Linux alert ASA-201910-10 (xpdf)



From:
              Morten Linderud <foxboron@archlinux.org> 


To:
              arch-security@archlinux.org 


Subject:
              [ASA-201910-10] xpdf: arbitrary code execution 


Date:
              Wed, 23 Oct 2019 16:19:47 +0200


Message-ID:
              <20191023141947.3tmq6exlng3vdefq@anathema>


Arch Linux Security Advisory ASA-201910-10
==========================================

Severity: Medium
Date    : 2019-10-16
CVE-ID  : CVE-2019-16927
Package : xpdf
Type    : arbitrary code execution
Remote  : No
Link    : https://security.archlinux.org/AVG-1048

Summary
=======

The package xpdf before version 4.02-1 is vulnerable to arbitrary code
execution.

Resolution
==========

Upgrade to 4.02-1.

# pacman -Syu "xpdf>=4.02-1"

The problem has been fixed upstream in version 4.02.

Workaround
==========

None.

Description
===========

Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the
TextPage::findGaps function in TextOutputDev.cc, a different
vulnerability than CVE-2019-9877.

Impact
======

A local attacker is able to execute arbitrary code via a specially
crafted PDF document.

References
==========

https://bugs.archlinux.org/task/63980
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41885
https://security.archlinux.org/CVE-2019-16927
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds