Bug 495907 (CVE-2009-1188)

Summary: CVE-2009-1188 xpdf/poppler: SplashBitmap integer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jrb, mjc, mkasik, yoyzhang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1188
Whiteboard: impact=important,source=cert,reported=20090316,public=20090416,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-20 17:17:40 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 496942, 496943, 496944    
Bug Blocks: 491864    

Description Josh Bressers 2009-04-15 10:24:34 EDT
An integer overflow was found in poppler's SplashBitmap::SplashBitmap
method. A malicious PDF file could cause poppler to execute with
permissions of the user calling the library.

Will Dormann of the CERT/CC created the extensive testsuite for the JBIG2
decoder in various PDF libraries that found this flaw.

Acknowledgements:

Red Hat would like to thank Will Dormann of the CERT/CC for responsibly
reporting this flaw.
Comment 2 Tomas Hoger 2009-04-24 03:16:09 EDT
CVE-2009-1188:
Integer overflow in the JBIG2 decoding feature in Poppler before
0.10.6 allows remote attackers to cause a denial of service (crash)
and possibly execute arbitrary code via vectors related to
SplashBitmap (splash/SplashBitmap.cc).
Comment 4 errata-xmlrpc 2009-05-13 10:32:52 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:0480 https://rhn.redhat.com/errata/RHSA-2009-0480.html
Comment 8 Tomas Hoger 2009-10-15 03:44:34 EDT
Patch previously applied to poppeler did not check for overflow when computing rowSize (see bug #526915).

Issue is now properly fixed in xpdf-3.02pl4:
  ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
  https://bugzilla.redhat.com/show_bug.cgi?id=526637#c14
Comment 9 errata-xmlrpc 2009-10-15 04:26:08 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1502 https://rhn.redhat.com/errata/RHSA-2009-1502.html
Comment 10 errata-xmlrpc 2009-10-15 04:34:27 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1501 https://rhn.redhat.com/errata/RHSA-2009-1501.html
Comment 11 errata-xmlrpc 2009-10-15 04:48:35 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1503 https://rhn.redhat.com/errata/RHSA-2009-1503.html
Comment 12 errata-xmlrpc 2009-10-15 05:05:59 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1512 https://rhn.redhat.com/errata/RHSA-2009-1512.html
Comment 13 Fedora Update System 2009-10-20 20:47:24 EDT
xpdf-3.02-15.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2009-10-20 20:54:12 EDT
xpdf-3.02-15.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2009-11-06 13:31:41 EST
xpdf-3.02-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2010-02-19 19:11:17 EST
pdfedit-0.4.3-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2010-02-19 19:23:36 EST
pdfedit-0.4.3-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2010-02-19 19:25:16 EST
pdfedit-0.4.3-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.