Bug 1131011 (CVE-2019-10020)

Summary:	VUL-1: CVE-2019-10020: xpdf: floating point exception in function Splash:scaleImageYuXu at Splash.cc
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Robert Frohl <rfrohl>
Component:	Incidents	Assignee:	Peter Simons <peter.simons>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P4 - Low	CC:	pgajdos, smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/226988/
Whiteboard:	CVSSv3:SUSE:CVE-2019-10020:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) maint:planned:update
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1133493

Description Robert Frohl 2019-03-29 14:19:53 UTC

rh#1693636

An issue was discovered in Xpdf 4.01.01. There is an FPE in the function Splash::scaleImageYuXu at Splash.cc for x Bresenham parameters.

Reference:
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41274

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1693636
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10020
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10020.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10020
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41274

Comment 1 Robert Frohl 2019-03-29 14:20:34 UTC

tracking as affected:
- SUSE:SLE-10-SP3:Update
- SUSE:SLE-11:Update

Comment 2 Robert Frohl 2023-06-08 08:36:48 UTC

affected codestreams are not supported anymore, closing

Comment 3 Petr Gajdos 2023-06-08 10:16:16 UTC

(11sp1/poppler does not reproduce)

Comment 4 Petr Gajdos 2023-06-08 10:18:24 UTC

(FWIW, Hence *5556* bounds to bug 1130999, considering *5560* to bound to this CVE. Newer versions does not crash, too.)