CVE-2006-1244

NameCVE-2006-1244
DescriptionUnspecified vulnerability in certain versions of xpdf after 3.00, as used in various products including (a) pdfkit.framework, (b) gpdf, (c) pdftohtml, and (d) libextractor, has unknown impact and user-assisted attack vectors, possibly involving errors in (1) gmem.c, (2) SplashXPathScanner.cc, (3) JBIG2Stream.cc, (4) JPXStream.cc, and/or (5) Stream.cc. NOTE: this description is based on Debian advisory DSA 979, which is based on changes that were made after other vulnerabilities such as CVE-2006-0301 and CVE-2005-3624 through CVE-2005-3628 were fixed. Some of these newer fixes appear to be security-relevant, although it is not clear if they fix specific issues or are defensive in nature.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1019-1, DSA-982-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
xpdf (PTS)buster3.04-13fixed
bullseye3.04+git20210103-3fixed
bookworm3.04+git20220601-1fixed
sid, trixie3.04+git20240202-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gpdfsourcesarge2.8.2-1.2sarge4DSA-982-1
gpdfsource(unstable)2.10.0-3
kofficesourcesarge1.3.5-4.sarge.3DSA-1019-1
kofficesource(unstable)2.3.3-1
xpdfsource(unstable)(not affected)

Notes

- xpdf <not-affected> (All issues previously fixed)
Discussion has shown that the revamp patch doesn't fix new vulnerabilities
xpdf (and therewith the questionable code) is not part of koffice for some time now

Search for package or bug name: Reporting problems