Bug 526637 - (CVE-2009-3608) CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016)
CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (o...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=ocert,reporte...
: Security
Depends On: 527399 527400 527403 527404 527413 527414 527454 527455 527456 527457 527468 527469 530890 577328 577329 833916
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-01 03:54 EDT by Tomas Hoger
Modified: 2016-03-04 07:34 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-07 04:44:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Poppler upstram patch (738 bytes, patch)
2009-10-01 03:56 EDT, Tomas Hoger
no flags Details | Diff
upstream xpdf patch (5.57 KB, patch)
2009-10-05 17:07 EDT, Vincent Danen
no flags Details | Diff
Final xpdf 3.02pl4 patch (6.82 KB, patch)
2009-10-15 02:41 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2009-10-01 03:54:11 EDT
oCERT reported an integer overflow flaw during the C++ object allocation leading to a heap overflow discovered by Chris Rohlf, affecting xpdf's / poppler's ObjectStream::ObjectStream (XRef.cc).

  objs = new Object[nObjects];

As new[] as implemented in gcc / libstdc++ does not perform integer overflow check [1], sufficiently large nObjects value (read from the input PDF file) can cause integer overflow / wrap when multiplied by sizeof(Object) resulting in insufficient memory allocation.

Affected code was introduced in Xpdf 3.00, packages including / based on this version are affected by this flaw.  In Red Hat Enterprise Linux, that means:
- xpdf - el4
- gpdf - el4
- poppler - el5
- kdegraphics - el4, el5
- cups - el5
- tetex - el5

Patch attempting to address this was previously added to poppler, but it incorrectly used sizeof(int) instead of sizeof(Object) [2] and hence was insufficient.

[1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351
[2] http://cgit.freedesktop.org/poppler/poppler/commit/?id=c36d8afc
    http://cgit.freedesktop.org/poppler/poppler/commit/?id=f41fa9ee

Acknowledgements:

Red Hat would like to thank Chris Rohlf for reporting this issue.
Comment 1 Tomas Hoger 2009-10-01 03:56:57 EDT
Created attachment 363288 [details]
Poppler upstram patch

This patch was proposed by poppler upstream to address this flaw.  It builds on top of the previously mentioned git commits c36d8afc and f41fa9ee.
Comment 5 Tomas Hoger 2009-10-05 03:50:34 EDT
Xpdf upstream's proposed fix is to use hard-coded upper limit for nObjects:

  if (nObjects > 1000000) {
    error(errSyntaxError, -1, "Too many objects in an object stream");
    goto err1;
  }

According to Derek, it's unlikely to have more than couple of hundreds of objects in one object stream in non-malicious PDFs, as lot more objects would be bad from the performance point of view.
Comment 6 Vincent Danen 2009-10-05 17:07:45 EDT
Created attachment 363744 [details]
upstream xpdf patch

This is the upstream patch that should address both the ImageStream::ImageStream issue and ObjectStream::ObjectStream limit.
Comment 14 Tomas Hoger 2009-10-15 02:41:15 EDT
Created attachment 364871 [details]
Final xpdf 3.02pl4 patch

Fixes following issues: CVE-2009-1188/CVE-2009-3603, CVE-2009-3604, CVE-2009-3606, CVE-2009-3608, CVE-2009-3609
Comment 15 Tomas Hoger 2009-10-15 02:50:56 EDT
Fixed now in xpdf 3.02pl4:
  ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch

poppler patches should be committed soon.
Comment 16 errata-xmlrpc 2009-10-15 04:26:12 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1502 https://rhn.redhat.com/errata/RHSA-2009-1502.html
Comment 17 errata-xmlrpc 2009-10-15 04:34:30 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1501 https://rhn.redhat.com/errata/RHSA-2009-1501.html
Comment 18 errata-xmlrpc 2009-10-15 04:48:37 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1503 https://rhn.redhat.com/errata/RHSA-2009-1503.html
Comment 19 errata-xmlrpc 2009-10-15 04:51:20 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1504 https://rhn.redhat.com/errata/RHSA-2009-1504.html
Comment 20 errata-xmlrpc 2009-10-15 05:00:59 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1513 https://rhn.redhat.com/errata/RHSA-2009-1513.html
Comment 21 errata-xmlrpc 2009-10-15 05:06:31 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1512 https://rhn.redhat.com/errata/RHSA-2009-1512.html
Comment 22 Michal Jaegermann 2009-10-16 12:27:38 EDT
> In Red Hat Enterprise Linux, that means:
- xpdf - el4 ( ... and so on)

There is currently xpdf-3.02-13.el5 in epel so RHEL5 is affected here, if indirectly, too.  Also there are corresponding Fedora packages and so far fixed xpdf did not show up even in koji.
Comment 23 Tomas Hoger 2009-10-17 14:31:16 EDT
(In reply to comment #15)
> Fixed now in xpdf 3.02pl4:
>   ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
> 
> poppler patches should be committed soon.  

Equivalent poppler git commit:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=1082e1671a
Comment 24 Fedora Update System 2009-10-20 20:47:48 EDT
xpdf-3.02-15.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2009-10-20 20:54:31 EDT
xpdf-3.02-15.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Tomas Hoger 2009-10-22 02:44:47 EDT
oCERT advisory:
  http://www.ocert.org/advisories/ocert-2009-016.html

poppler fixed now in version 0.12.1:
  http://poppler.freedesktop.org/releases.html
Comment 28 Fedora Update System 2009-10-26 08:19:05 EDT
poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10
Comment 29 Fedora Update System 2009-10-26 08:20:32 EDT
poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11
Comment 30 Fedora Update System 2009-10-27 03:05:14 EDT
poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2009-10-27 03:15:19 EDT
poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 32 Tomas Hoger 2009-10-28 07:18:57 EDT
This should still affect koffice 1.x (2.x uses poppler) and pdfedit shipped in Fedora, as they embed xpdf code copy too.  I've not got to having a closer look at those.
Comment 33 Fedora Update System 2009-11-06 13:32:01 EST
xpdf-3.02-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Jan Lieskovsky 2009-12-12 07:01:05 EST
Duplicate CVE identifier of CVE-2009-3908 has been also (by mistake)
assigned for this:

Name: CVE-2009-3908
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3908
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20091109
Category:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-3608. Reason:
This candidate is a duplicate of CVE-2009-3608. A typo caused the
wrong ID to be used. Notes: All CVE users should reference
CVE-2009-3608 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental
usage.
Comment 35 Fedora Update System 2010-02-19 19:11:35 EST
pdfedit-0.4.3-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2010-02-19 19:23:51 EST
pdfedit-0.4.3-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 37 Fedora Update System 2010-02-19 19:25:30 EST
pdfedit-0.4.3-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 43 errata-xmlrpc 2010-05-06 15:09:38 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0400 https://rhn.redhat.com/errata/RHSA-2010-0400.html

Note You need to log in before you can comment on or make changes to this bug.