Bug 491864

Summary: Multiple PDF flaws
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, jnovy, krh, mjc, mkasik, security-response-team, than, twaugh, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-30 20:51:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 490612, 490614, 490625, 490707, 490708, 490710, 490711, 490712, 490713, 490714, 490715, 490716, 490717, 490727, 490728, 490729, 490730, 492381, 492384, 492385, 492386, 492387, 495886, 495887, 495889, 495892, 495894, 495896, 495899, 495906, 495907, 833914    
Bug Blocks:    
Attachments:
Description Flags
Proposed patch
none
updated patch from upstream
none
Updated upstream patch, converted to unified format
none
Another updated patch from upstream
none
Latest upstream poppler patch none

Description Josh Bressers 2009-03-24 13:40:08 UTC 
Created attachment 336465 [details]
Proposed patch

CERT created a test archive of broken PDF files that focus on the JBIG2 image decoder contained in xpdf/poppler and variants.

Derek Noonburg created a patch that fixes all crashes the PDF archive caused.

The patch also fixes the issues CVE-2009-0146 CVE-2009-0147 CVE-2009-0166.
Comment 6 Vincent Danen 2009-03-27 18:11:13 UTC 
Created attachment 337048 [details]
updated patch from upstream

This is the updated patch from Derek.
Comment 7 Tomas Hoger 2009-03-30 07:37:27 UTC 
Created attachment 337193 [details]
Updated upstream patch, converted to unified format

Same patch as in comment #6 above, just converted from context diff to a lot more readable unified diff.

Interdiff against the original patch in comment #0:

--- xpdf-3.02/xpdf/JBIG2Stream.cc
+++ xpdf-3.02/xpdf/JBIG2Stream.cc
@@ -805,6 +805,10 @@
   Guint src0, src1, src, dest, s1, s2, m1, m2, m3;
   GBool oneByte;
 
+  // check for the pathological case where y = -2^31
+  if (y < -0x7fffffff) {
+    return;
+  }
   if (y < 0) {
     y0 = -y;
   } else {
Comment 9 Josh Bressers 2009-04-01 14:28:38 UTC 
Created attachment 337540 [details]
Another updated patch from upstream
Comment 20 Josh Bressers 2009-04-13 20:05:25 UTC 
Created attachment 339370 [details]
Latest upstream poppler patch
Comment 21 Vincent Danen 2009-04-16 21:30:01 UTC 
Embargo has been lifted.
Comment 22 errata-xmlrpc 2009-04-24 07:56:04 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 3

Via RHSA-2009:0430 https://rhn.redhat.com/errata/RHSA-2009-0430.html
Comment 23 errata-xmlrpc 2009-04-24 08:05:56 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:0431 https://rhn.redhat.com/errata/RHSA-2009-0431.html
Comment 24 errata-xmlrpc 2009-04-24 08:24:23 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:0428 https://rhn.redhat.com/errata/RHSA-2009-0428.html
Comment 25 errata-xmlrpc 2009-04-24 08:26:44 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:0429 https://rhn.redhat.com/errata/RHSA-2009-0429.html
Comment 26 errata-xmlrpc 2009-04-30 20:58:33 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:0458 https://rhn.redhat.com/errata/RHSA-2009-0458.html
Comment 27 errata-xmlrpc 2009-05-13 14:32:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0480 https://rhn.redhat.com/errata/RHSA-2009-0480.html