Security holes in many PDF components

Aug 02, 2007

Nils Magnus

A bug in the Xpdf 3.02 source code can cause the PDF viewer to crash. Programs that use Xpdf code are affected.

The bug, which has the CVE ID CVE-2007-3387 and is caused by incorrect memory allocation checking in the "StreamPredictor" class constructor. The security hole, which was discovered by Xpdf developer Derek Noonburg himself, would theoretically give an attacker the ability to run code with the privileges of the user running the program. However, a PDF document capable of executing malicious code is unknown at the present

The developers advise users to update PDF Viewer and any programs containing Xpdf code. Candidates include various KDE components such as Kpdf and Koffice. The Gnome desktop environment with its Poppler PDF library is also affected. The KDE project has published source code patches, and several Linux distributions have already built updated packages.

Related content

Security Issues in Xpdf Make Waves

In the past, security bugs in the Xpdf PDF viewer have endangered Linux systems time and again, and projects that use Xpdf code are also affected.

more »
Webconverger 4.7 with Firewall and Adobe Reader

Webconverger, a Linux distro to drive web kiosk systems, is now available in version 4.7. Some updates improve its security.

more »
Fix for Security Hole in Android G1

In one fell swoop and with an automatically distributed patch, Google and T-Mobile fixed a problem with the G1 mobile phone whereby users could access root privileges and possibly raise all kinds of havoc.

more »
Relaxed Flash: Blitzableiter Checks for Malicious Flash Files

On stimulus from the German Federal Agency for Information Security (BSI), Felix "FX" Lindner of the Phenoelit hacker group investigated the security of Flash object code. The result is a free protection program with the name Blitzableiter ("lightning rod").

more »
Poppler PDF library learns Javascript

Poppler, a library for rendering PDF data, was released in its developer version as 0.9.0. For the first time it enables interactive documents using Javascript.

more »

comments powered by Disqus

Issue 231/2020

Buy this issue as a PDF

Digital Issue: Price $12.99

(incl. VAT)

GPU Computing

News and views on the GPU revolution in HPC and Big Data:

News

Thanks to Linux, Google and Valve are Bringing Steam to Chromebooks

Games , Linux

In yet another win for desktop Linux, Google and Steam are about to up the Chromebook gaming field.
Kubuntu Focus Laptop Now Ready for Preorder

Kubuntu , laptop

If you’ve ever wanted a KDE-specific, Linux-powered laptop, now’s your chance.
Dell Adds a Much-Requested Feature to the New XPS Developer Edition Laptop

laptop , Linux

Linux users are in for a treat when Dell releases the next iteration of the Ubuntu-powered XPS Developer Edition laptop.
Bonsai Promises to Make Syncing Gnome Devices Easier

Gnome , Red Hat , Red Hat Linux

Red Hat developer, Christian Hergert has been working on a GNOME desktop syncing project with lots of promise.
Elementary OS 5.1 Has Arrived

Community

One of the most highly regarded Linux desktop distributions has released its next iteration.
Linux Mint 19.3 Will be Released by Christmas

The developers behind Linux Mint have announced 19.3 will be released by Christmas 2019.
Linux Kernel 5.4 Released

A number of new changes and improvements have reached the Linux kernel.
System76 To Design And Build Laptops In-House

In-house designed and built laptops coming from System76.
News and views on the GPU revolution in HPC and Big Data:
The PinePhone Pre-Order has Arrived

Anyone looking to finally get their hands on an early release of the PinePhone can do so as of November 15.