Bug 526915 (CVE-2009-3603)

Summary: CVE-2009-3603 xpdf/poppler: SplashBitmap::SplashBitmap integer overflow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, krh, mkasik, security-response-team, than, yoyzhang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=vendorsec,reported=20090916,public=20091014,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cwe=CWE-190[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-10-28 07:02:29 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 527403, 527404, 527413, 527414, 527454, 527455, 527456, 527457, 527468, 527469, 530890, 833916    
Bug Blocks:    
Attachments:
Description Flags
xpdf upstream patch from Derek B. Noonburg none

Description Tomas Hoger 2009-10-02 09:51:21 EDT
Integer overflow was discovered in SplashBitmap::SplashBitmap when computing memory allocation requirements.  This issue was previously reported as CVE-2009-1188 / bug #495907 and addressed in poppler via gmalloc -> gmallocn change via:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2

However, such fix is not sufficient, as overflow can occur even during rowSize calculation.

Splash output device is not present in xpdf 2.x, it's also not in the xpdf code embedded in CUPS or tetex.
Comment 1 Tomas Hoger 2009-10-02 09:51:56 EDT
Created attachment 363486 [details]
xpdf upstream patch from Derek B. Noonburg
Comment 12 Tomas Hoger 2009-10-15 03:40:23 EDT
xpdf is fixed now for the CVE-2009-1188/CVE-2009-3603 in xpdf-3.02pl4:
  ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
  https://bugzilla.redhat.com/show_bug.cgi?id=526637#c14
Comment 13 errata-xmlrpc 2009-10-15 04:51:47 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1504 https://rhn.redhat.com/errata/RHSA-2009-1504.html
Comment 15 Fedora Update System 2009-10-26 08:18:43 EDT
poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10
Comment 16 Fedora Update System 2009-10-26 08:20:10 EDT
poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11
Comment 17 Fedora Update System 2009-10-27 03:04:41 EDT
poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-10-27 03:14:40 EDT
poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.