CVE-2022-38171

CVEnew

CVE-2022-38171 Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readSymbolDictSeg() in https://t.co/nnbv5xcBV7). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the ex... https://t.co/DOio1RGovy

wdormann

Remember that FORCEDENTRY iOS exploit chain that started with the Xpdf integer overflow, assigned CVE-2021-30860 by Apple, fixed only in Apple's code last year? SURELY Xpdf itself, Poppler, and friends got fixes then too, right? Right??? CVE-2022-38171 https://t.co/5ep5xW2BCa

vulnonym

I declare CVE-2022-38171 to be named Naive Finfish https://t.co/z8cCgbsNxQ

jasper@ changed textproc/xpdf: Security fix for CVE-2022-38171. See:

OpenBSD_ports

kili@ changed print/poppler: Fix for CVE-2022-38171 (similar to the one jasper@ added to xpdf). (No update to a newer poppler, because it requires C++-17, which grows tentacles and breaks ports depending on poppler and exiv2 because the latter still uses auto_ptr)

oss_security

JBIG2 integer overflow fixed in Xpdf 4.04, Poppler 22.09.0: Posted by Art Manion on Sep 02Xpdf 4.04 (released 2022-04-18, CVE-2022-38171): Poppler 22.09.0 (released 2022-09-01, CVE-2022-38784): https://t.co/yh1FE3vbRn