Bug 638835

Summary:

poppler/xpdf: multiple vulnerabilities

Product:

[Other] Security Response

Reporter:

Huzaifa S. Sidhpurwala <huzaifas>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED NOTABUG

QA Contact:

Severity:

medium

Docs Contact:

Priority:

medium

Version:

unspecified

CC:

mkasik, rdieter, than, twaugh

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2010-10-06 14:35:09 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

595245, 638960, 639356

Bug Blocks:

Attachments:

Description	Flags
2fe825deac reproducer	none

Description Huzaifa S. Sidhpurwala 2010-09-30 05:31:36 UTC

Secunia reported multiple vulnerabilities in Poppler, caused due to memory 
leak errors, array indexing errors, and the use of uninitialized memory when
parsing malformed PDF files.
An attacker could use this flaw to create a specially-crafted
pdf file that, when opened, would cause an application linked against
poppler to crash, or, possibly execute arbitrary code.


Secunia link:
http://secunia.com/advisories/41596/

Upstream commits:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=473de6f88a055bb03470b4af5fa584be8cb5fda4
http://cgit.freedesktop.org/poppler/poppler/commit/?id=2fe825deac055be82b220d0127169cb3d61387a8
http://cgit.freedesktop.org/poppler/poppler/commit/?id=d2578bd66129466b2dd114b6407c147598e09d2b
http://cgit.freedesktop.org/poppler/poppler/commit/?id=c6a091512745771894b54a71613fd6b5ca1adcb3
http://cgit.freedesktop.org/poppler/poppler/commit/?id=39d140bfc0b8239bdd96d6a55842034ae5c05473
http://cgit.freedesktop.org/poppler/poppler/commit/?id=a2dab0238a69240dad08eca2083110b52ce488b7
http://cgit.freedesktop.org/poppler/poppler/commit/?id=3422638b2a39cbdd33a114a7d7debc0a5f688501
http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf
http://cgit.freedesktop.org/poppler/poppler/commit/?id=bf2055088a3a2d3bb3d3c37d464954ec1a25771f
http://cgit.freedesktop.org/poppler/poppler/commit/?id=dfdf3602bde47d1be7788a44722c258bfa0c6d6e
http://cgit.freedesktop.org/poppler/poppler/commit/?id=26a5817ffec9f05ac63db6c5cd5b1f0871d271c7
http://cgit.freedesktop.org/poppler/poppler/commit/?id=9706e28657ff7ea52aa69d9efb3f91d0cfaee70b

Comment 5 Tomas Hoger 2010-10-01 14:33:25 UTC

e853106b58, 39d140bfc0 and bf2055088a are tracked via separate bugs.

Some of the referenced commits are not classified as security fixes, for the summary, see:

http://thread.gmane.org/gmane.comp.security.oss.general/3584/focus=3596

Comment 6 Tomas Hoger 2010-10-03 18:57:04 UTC

Crash mentioned in 2fe825deac commit message seems to be OBJECT_TYPE_CHECK abort, with impact limited to unexpected application termination and is not classified as security fix.  This check and abort is specific to more recent poppler versions, the check does not exist in xpdf or RHEL5 poppler version.

There are additional instance of this problem in poppler code:
  https://bugs.freedesktop.org/show_bug.cgi?id=30590

Comment 7 Tomas Hoger 2010-10-03 18:58:27 UTC

Created attachment 451301 [details]
2fe825deac reproducer

Triggers abort when reading malformed /BBox

Comment 9 Huzaifa S. Sidhpurwala 2010-10-06 14:35:09 UTC

Issue are tracked using separate bugs mentioned in "Depends on".