CVE-2022-38928 XPDF 4.04 is vulnerable to Null Pointer Dereference in FoFiType1C.cc:2393.

A user with the ability to create or edit the foaf:Person ontology can create a malicious foaf:Person that has a malicious foaf:Interest or foaf:Occupation with this foaf:Person, which can lead to a remote code execution.

In addition to the aforementioned CVEs, there are other issues in the latest version of 4.04 that users should be aware of. One of the most notable issues is the fact that 4.04 is still vulnerable to XSS due to the insecure handling of external links in the xlink:href attribute. If you are upgrading from a previous version of 3.x or 4.x, be sure to update all of your XSLT files, as XSLT is not supported in 4.x. There are also several other issues that have been fixed in 4.04, including: - A memory corruption issue in the handling of foaf:Image elements when used in conjunction with the px4foaf library. This issue can lead to remote code execution. - An issue in the handling of foaf:depiction where an attacker could assign a malicious foaf:Image value to a foaf:Image value in a foaf:profile and then create a malicious foaf:Image value in the foaf:Interest of the same foaf:Person. - An issue where the erroneous use of metadata in XSLT could lead to information disclosure. - An XSS issue in the

Are you using 4.04? Upgrade now!

If you are using 4.04, then you should be aware of these issues and update your application. The latest version is 4.05, so it's just a matter of upgrading your application to that latest version.

Upgrade to 4.04

Given the recent discoveries of a vulnerability in 4.04, it is advised that all users update to the latest version of 4.04 as soon as possible. There are several improvements in this release, including: - A fix for the aforementioned "affecting only users with administrator privileges" issue - A fix for the CVE-2022-38928 issue

XSLT 3.2 and 4.0 Not Supported in 4.04

If you are upgrading from a previous version of 3.x or 4.x, be sure to update all of your XSLT files, as XSLT is not supported in 4.x. There are also several other issues that have been fixed in 4.04, including: - A memory corruption issue in the handling of foaf:Image elements when used in conjunction with the px4foaf library. This issue can lead to remote code execution. - An issue in the handling of foaf:depiction where an attacker could assign a malicious foaf:Image value to a foaf:Image value in a foaf:Profile and then create a malicious foaf:Image value in the Foaf:Interest of the same foaf:Person. - An issue where the erroneous use of metadata in XSLT could lead to information disclosure.

How to install 4.04

Install the current version of 4.04:
sudo apt-get update; sudo apt-get install libxml2-utils xsltproc
4.04 was released on June 26th, 2018 and requires libxml2-utils 8.3.0 or higher, xsltproc 3.1.1 or higher and xalan-j 2.9.0 or higher to be installed in order to function properly on UNIX system architectures such as Linux, FreeBSD, and Solaris systems:
sudo apt-get install libxml2-utils xsltproc xalan-j

Timeline

Published on: 09/21/2022 13:15:00 UTC
Last modified on: 09/22/2022 15:31:00 UTC

References

• https://forum.xpdfreader.com/viewtopic.php?f=3&t=42325&sid=7b08ba9a518a99ce3c5ff40e53fc6421
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38928