The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability alert for xpdf: memory corruption via Gfx - CVE-2010-4654

Synthesis of the vulnerability

An attacker can invite the victim to display a malicious PDF document with xpdf, in order to execute code on his computer.
Severity of this weakness: 2/4.
Creation date: 21/01/2011.
Références of this bulletin: BID-45948, CVE-2010-4654, VIGILANCE-VUL-10290.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The xpdf program displays PDF or PostScript documents, which can contain TrueType character fonts.

A TrueType font is composed of shapes (lines and Bezier curves) and of a "program" which adapts these outlines on the display grid.

The Gfx() function of the poppler/Gfx.cc file displays characters. However, if the "program" uses too many instructions unstacking the stack, the memory is corrupted.

An attacker can therefore invite the victim to display a malicious PDF document with xpdf, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

This computer threat alert impacts software or systems such as Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this weakness announce is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer weakness bulletin.

Solutions for this threat

xpdf: patch for Gfx.
A patch is available in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a system vulnerability alert. The technology watch team tracks security threats targeting the computer system.