This issue was resolved by modifying the DCTStream to call XFAStream::mediaEnd at the end of the data stream, rather than XFAStream::end at the end of the stream. XFA 1.0.5 and later is vulnerable. The most severe cases of this vulnerability is when a user were to open a specially crafted XFA document in a browser, allowing an attacker to execute arbitrary code with the permissions of the user. XFA 1.0.2 through 1.0.5 are vulnerable. XFA 1.0.6 and later is not vulnerable. XFA 1.0.8 and later are not vulnerable. XFA 1.0.9 and later are not vulnerable. XFA 1.0.10 and later are not vulnerable. XFA 1.0.11 and later are not vulnerable. XFA 1.0.12 and later are not vulnerable. XFA 1.0.13 and later are not vulnerable. XFA 1.0.14 and later are not vulnerable. XFA 1.0.15 and later are not vulnerable. XFA 1.0.16 and later are not vulnerable. XFA 1.0.17 and later are not vulnerable. XFA 1.0.18 and later are not vulnerable. XFA 1.0.19 and later are not vulnerable. XFA 1.0.20 and later are not vulnerable. XFA 1.0.21 and later are not vulnerable
Can stream content from an XFA file?
Yes. In order to exploit this vulnerability, an attacker would need to create or modify an XFA file containing a specially crafted stream element so that the DCTStream calls XFAStream::mediaEnd instead of XFAStream::end at the end of the data stream.
How to fix code
1. Download the attached patch and place it in your XFA 1.0.5 directory
2. Edit the patch so that it applies to your version of XFA
3. Copy the patched files to your server
4. Run xfa-build -r on your site to rebuild all links
Timeline
Published on: 09/23/2022 18:15:00 UTC
Last modified on: 09/27/2022 04:19:00 UTC