Bug 595245 (CVE-2010-3702)

Summary: CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andreas.bierfert, mkasik, orion, rdieter, security-response-team, tcallawa, than, tremble, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,source=cert,reported=20100520,public=20100924,cvss2=5.8/AV:A/AC:L/Au:N/C:P/I:P/A:P,rhel-3/xpdf=affected,rhel-3/cups=affected,rhel-3/tetex=affected,rhel-4/xpdf=affected,rhel-4/gpdf=affected,rhel-4/kdegraphics=affected,rhel-4/tetex=affected,rhel-4/cups=affected,rhel-5/poppler=affected,rhel-5/kdegraphics=affected,rhel-5/tetex=affected,rhel-6/poppler=affected,fedora-all/poppler=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 639826, 639827, 639828, 639829, 639830, 639831, 639832, 639833, 639834, 639835, 639836, 639837, 639838, 639839, 639840, 639841, 639842, 639859, 639860, 639861, 639868, 639875, 652108, 773177, 773178, 773180, 833917    
Bug Blocks: 638835    
Attachments:
Description Flags
Proposed patch
none
xpdf-3.02pl5.patch
none
patch used for tetex none

Description Tomas Hoger 2010-05-24 03:59:07 EDT
Sauli Pahlman of CERT-FI provided us with fuzzed PDF file which causes xpdf / poppler PDF parser to crash.

The crash is caused by an attempt to dereference uninitialized Gfx::parser pointer in Gfx::getPos(), which assumes parser is either NULL or valid Parser pointer.

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Gfx.cc?id=71063d51#n879
Comment 2 Tomas Hoger 2010-05-24 04:01:18 EDT
Created attachment 416048 [details]
Proposed patch

This makes sure that parser in initialized to NULL in Gfx constructors.
Comment 3 Tomas Hoger 2010-09-30 02:30:21 EDT
(In reply to comment #2)
> Created attachment 416048 [details]
> Proposed patch
> 
> This makes sure that parser in initialized to NULL in Gfx constructors.

Upstream came up with the identical fix to my proposal based on what seems to be an independent report from Joel Voss:

http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf

http://secunia.com/advisories/41596/
Comment 7 Huzaifa S. Sidhpurwala 2010-10-04 04:54:44 EDT
Created poppler tracking bugs for this issue

Affects: fedora-all [bug 639861]
Comment 14 Tomas Hoger 2010-10-07 10:40:47 EDT
This is likely to affect other applications that embed xpdf code, such as pdfedit and koffice 1.x.  Official xpdf patch may appear later this week.
Comment 15 errata-xmlrpc 2010-10-07 11:05:17 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0749 https://rhn.redhat.com/errata/RHSA-2010-0749.html
Comment 16 errata-xmlrpc 2010-10-07 11:10:54 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0750 https://rhn.redhat.com/errata/RHSA-2010-0750.html
Comment 17 errata-xmlrpc 2010-10-07 11:26:24 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0751 https://rhn.redhat.com/errata/RHSA-2010-0751.html
Comment 18 errata-xmlrpc 2010-10-07 11:31:49 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0752 https://rhn.redhat.com/errata/RHSA-2010-0752.html
Comment 19 errata-xmlrpc 2010-10-07 11:52:21 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0753 https://rhn.redhat.com/errata/RHSA-2010-0753.html
Comment 20 errata-xmlrpc 2010-10-07 13:28:17 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0754 https://rhn.redhat.com/errata/RHSA-2010-0754.html
Comment 21 errata-xmlrpc 2010-10-07 13:48:40 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0755 https://rhn.redhat.com/errata/RHSA-2010-0755.html
Comment 22 Tomas Hoger 2010-10-25 04:12:21 EDT
Created attachment 455425 [details]
xpdf-3.02pl5.patch

xpdf upstream patch - xpdf-3.02pl5.patch

Fixes the issue in the same way poppler patch does.
Comment 23 errata-xmlrpc 2010-11-10 14:17:55 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0859 https://rhn.redhat.com/errata/RHSA-2010-0859.html
Comment 24 Huzaifa S. Sidhpurwala 2012-08-21 00:24:26 EDT
Created attachment 605823 [details]
patch used for tetex
Comment 26 errata-xmlrpc 2012-08-23 10:58:01 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html