Bug 672181 (CVE-2010-4654)

Summary: CVE-2010-4654 xpdf: corruption of the Gfx contexts states stack
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: mkasik, rdieter, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:47:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 734819    

Description Tomas Hoger 2011-01-24 10:25:24 UTC 
Dan Rosenberg reported an issue in xpdf/poppler code base:

  http://thread.gmane.org/gmane.comp.security.oss.general/4109

  Malformed commands may cause corruption of the internal stack used
  to maintain graphics contexts, leading to potentially exploitable
  memory corruption.

Acknowledgements:

Red Hat would like to thank Dan Rosenberg for reporting this issue.
Comment 1 Tomas Hoger 2011-01-24 10:39:02 UTC 
Upstream poppler git commit that adds stack guards:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9

This fix changes API and ABI of the Gfx class.  This is part of Xpdf headers bundled in poppler-devel in Fedora and RHEL-6.  poppler upstream makes certain API/ABI stability promises for supported frontends (glib, Qt4), but not for legacy Xpdf APIs, which are used by some programs (texlive, gimp, or openoffice.org).
Comment 4 Tomas Hoger 2011-01-25 15:48:08 UTC 
SUSE xpdf packages maintainer tracked this crash down to q (saveState) / Q (restoreState) graphics operations imbalance.  While the patch mentioned in comment #1 adds additional guards to the graphics states stack, earlier commit tries to address q/Q imbalance:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=17345173

This fix is included in RHEL-6 poppler.  RHEL-5 poppler does not include this fix, but does not seem to crash on the Dan's reproducer either.