CVE-2005-2097

NameCVE-2005-2097
Descriptionxpdf and kpdf do not properly validate the "loca" table in PDF files, which allows local users to cause a denial of service (disk consumption and hang) via a PDF file with a "broken" loca table, which causes a large temporary file to be created when xpdf attempts to reconstruct the information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1136-1, DSA-780-1, DSA-936-1, DSA-982-1, DSA-984-1, DTSA-28-1
NVD severitylow (attack range: local)
Debian Bugs322458, 322462, 324464, 334454

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cups (PTS)wheezy, wheezy (security)1.5.3-5+deb7u6fixed
jessie (security), jessie1.7.5-11+deb8u1fixed
stretch2.2.1-8fixed
buster2.2.4-7fixed
sid2.2.5-2fixed
libextractor (PTS)wheezy1:0.6.3-5fixed
jessie1:1.3-2fixed
stretch1:1.3-4fixed
buster, sid1:1.4-1fixed
poppler (PTS)wheezy0.18.4-6fixed
wheezy (security)0.18.4-6+deb7u3fixed
jessie (security), jessie0.26.5-2+deb8u1fixed
stretch0.48.0-2fixed
buster, sid0.57.0-2fixed
xpdf (PTS)wheezy3.03-10fixed
jessie3.03-17fixed
buster, sid, stretch3.04-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cupssource(unstable)1.1.22-7low324464
cupsyssource(unstable)1.1.22-7low324464
cupsyssourcewoody(not affected)
gpdfsource(unstable)2.10.0-4low334454
gpdfsourceetch2.10.0-1+etch1lowDTSA-28-1
gpdfsourcesarge2.8.2-1.2sarge5lowDSA-1136-1
kdegraphicssource(unstable)4:3.4.2-1low322458
kdegraphicssourcesarge4:3.3.2-2sarge1lowDSA-780-1322458
kdegraphicssourcewoody(not affected)DSA-780-1
libextractorsource(unstable)0.5.8-1medium
libextractorsourcesarge0.4.2-2sarge2lowDSA-936-1
popplersource(unstable)0.4.0-1low
tetex-binsource(unstable)3.0-12low
tetex-binsourcesarge(not affected)
tetex-binsourcewoody(not affected)
xpdfsource(unstable)3.00-15low322462
xpdfsourcesarge3.00-13.6lowDSA-984-1

Notes

[woody] - tetex-bin <not-affected> (pdftex doesn't include or use the vulnerable code)
tetex links to poppler since 3.0-12
[sarge] - tetex-bin <not-affected> (tetex2 uses an older version, which is not affected)
Cups switched to xpdf-utils
[woody] - cupsys <not-affected> (Vulnerable code not present)

Search for package or bug name: Reporting problems