News

=========================================================== Ubuntu Security Notice USN-163-1 August 09, 2005 xpdf vulnerability CAN-2005-2097 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: xpdf-reader xpdf-utils kpdf The problem can be corrected by upgrading the affected package to version 3.00-8ubuntu1.5 (for Ubuntu 4.10), or 3.00-11ubuntu3.1 (xpdf-reader and xpdf-utils for Ubuntu 5.04) and 4:3.4.0-0ubuntu3.1 (kpdf for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: xpdf and kpdf did not sufficiently verify the validity of the "loca" table in PDF files, a table that contains glyph description information for embedded TrueType fonts. After detecting the broken table, xpdf attempted to reconstruct the information in it, which caused the generation of a huge temporary file that quickly filled up available disk space and rendered the application unresponsive. The CUPS printing system in Ubuntu 5.04 uses the xpdf-utils package to convert PDF files to PostScript. By attempting to print such a crafted PDF file, a remote attacker could cause a Denial of Service in a print server. The CUPS system in Ubuntu 4.10 is not vulnerable against this attack.