Bug 526637 (CVE-2009-3608) - CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (oCERT-2009-016)
Summary: CVE-2009-3608 xpdf/poppler: integer overflow in ObjectStream::ObjectStream (o...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3608
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 527399 527400 527403 527404 527413 527414 527454 527455 527456 527457 527468 527469 530890 577328 577329 833916
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-01 07:54 UTC by Tomas Hoger
Modified: 2023-05-11 13:45 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-07 08:44:08 UTC
Embargoed:


Attachments (Terms of Use)
Poppler upstram patch (738 bytes, patch)
2009-10-01 07:56 UTC, Tomas Hoger
no flags Details | Diff
upstream xpdf patch (5.57 KB, patch)
2009-10-05 21:07 UTC, Vincent Danen
no flags Details | Diff
Final xpdf 3.02pl4 patch (6.82 KB, patch)
2009-10-15 06:41 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1501 0 normal SHIPPED_LIVE Important: xpdf security update 2009-10-15 08:34:24 UTC
Red Hat Product Errata RHSA-2009:1502 0 normal SHIPPED_LIVE Important: kdegraphics security update 2009-10-15 08:26:05 UTC
Red Hat Product Errata RHSA-2009:1503 0 normal SHIPPED_LIVE Important: gpdf security update 2009-10-15 08:48:32 UTC
Red Hat Product Errata RHSA-2009:1504 0 normal SHIPPED_LIVE Important: poppler security and bug fix update 2009-10-15 08:51:17 UTC
Red Hat Product Errata RHSA-2009:1512 0 normal SHIPPED_LIVE Important: kdegraphics security update 2009-10-15 09:05:55 UTC
Red Hat Product Errata RHSA-2009:1513 0 normal SHIPPED_LIVE Moderate: cups security update 2009-10-15 09:00:56 UTC
Red Hat Product Errata RHSA-2010:0400 0 normal SHIPPED_LIVE Moderate: tetex security update 2010-05-06 19:09:35 UTC

Description Tomas Hoger 2009-10-01 07:54:11 UTC
oCERT reported an integer overflow flaw during the C++ object allocation leading to a heap overflow discovered by Chris Rohlf, affecting xpdf's / poppler's ObjectStream::ObjectStream (XRef.cc).

  objs = new Object[nObjects];

As new[] as implemented in gcc / libstdc++ does not perform integer overflow check [1], sufficiently large nObjects value (read from the input PDF file) can cause integer overflow / wrap when multiplied by sizeof(Object) resulting in insufficient memory allocation.

Affected code was introduced in Xpdf 3.00, packages including / based on this version are affected by this flaw.  In Red Hat Enterprise Linux, that means:
- xpdf - el4
- gpdf - el4
- poppler - el5
- kdegraphics - el4, el5
- cups - el5
- tetex - el5

Patch attempting to address this was previously added to poppler, but it incorrectly used sizeof(int) instead of sizeof(Object) [2] and hence was insufficient.

[1] http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351
[2] http://cgit.freedesktop.org/poppler/poppler/commit/?id=c36d8afc
    http://cgit.freedesktop.org/poppler/poppler/commit/?id=f41fa9ee

Acknowledgements:

Red Hat would like to thank Chris Rohlf for reporting this issue.

Comment 1 Tomas Hoger 2009-10-01 07:56:57 UTC
Created attachment 363288 [details]
Poppler upstram patch

This patch was proposed by poppler upstream to address this flaw.  It builds on top of the previously mentioned git commits c36d8afc and f41fa9ee.

Comment 5 Tomas Hoger 2009-10-05 07:50:34 UTC
Xpdf upstream's proposed fix is to use hard-coded upper limit for nObjects:

  if (nObjects > 1000000) {
    error(errSyntaxError, -1, "Too many objects in an object stream");
    goto err1;
  }

According to Derek, it's unlikely to have more than couple of hundreds of objects in one object stream in non-malicious PDFs, as lot more objects would be bad from the performance point of view.

Comment 6 Vincent Danen 2009-10-05 21:07:45 UTC
Created attachment 363744 [details]
upstream xpdf patch

This is the upstream patch that should address both the ImageStream::ImageStream issue and ObjectStream::ObjectStream limit.

Comment 14 Tomas Hoger 2009-10-15 06:41:15 UTC
Created attachment 364871 [details]
Final xpdf 3.02pl4 patch

Fixes following issues: CVE-2009-1188/CVE-2009-3603, CVE-2009-3604, CVE-2009-3606, CVE-2009-3608, CVE-2009-3609

Comment 15 Tomas Hoger 2009-10-15 06:50:56 UTC
Fixed now in xpdf 3.02pl4:
  ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch

poppler patches should be committed soon.

Comment 16 errata-xmlrpc 2009-10-15 08:26:12 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1502 https://rhn.redhat.com/errata/RHSA-2009-1502.html

Comment 17 errata-xmlrpc 2009-10-15 08:34:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1501 https://rhn.redhat.com/errata/RHSA-2009-1501.html

Comment 18 errata-xmlrpc 2009-10-15 08:48:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1503 https://rhn.redhat.com/errata/RHSA-2009-1503.html

Comment 19 errata-xmlrpc 2009-10-15 08:51:20 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1504 https://rhn.redhat.com/errata/RHSA-2009-1504.html

Comment 20 errata-xmlrpc 2009-10-15 09:00:59 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1513 https://rhn.redhat.com/errata/RHSA-2009-1513.html

Comment 21 errata-xmlrpc 2009-10-15 09:06:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1512 https://rhn.redhat.com/errata/RHSA-2009-1512.html

Comment 22 Michal Jaegermann 2009-10-16 16:27:38 UTC
> In Red Hat Enterprise Linux, that means:
- xpdf - el4 ( ... and so on)

There is currently xpdf-3.02-13.el5 in epel so RHEL5 is affected here, if indirectly, too.  Also there are corresponding Fedora packages and so far fixed xpdf did not show up even in koji.

Comment 23 Tomas Hoger 2009-10-17 18:31:16 UTC
(In reply to comment #15)
> Fixed now in xpdf 3.02pl4:
>   ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
> 
> poppler patches should be committed soon.  

Equivalent poppler git commit:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=1082e1671a

Comment 24 Fedora Update System 2009-10-21 00:47:48 UTC
xpdf-3.02-15.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2009-10-21 00:54:31 UTC
xpdf-3.02-15.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Tomas Hoger 2009-10-22 06:44:47 UTC
oCERT advisory:
  http://www.ocert.org/advisories/ocert-2009-016.html

poppler fixed now in version 0.12.1:
  http://poppler.freedesktop.org/releases.html

Comment 28 Fedora Update System 2009-10-26 12:19:05 UTC
poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10

Comment 29 Fedora Update System 2009-10-26 12:20:32 UTC
poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11

Comment 30 Fedora Update System 2009-10-27 07:05:14 UTC
poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2009-10-27 07:15:19 UTC
poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 32 Tomas Hoger 2009-10-28 11:18:57 UTC
This should still affect koffice 1.x (2.x uses poppler) and pdfedit shipped in Fedora, as they embed xpdf code copy too.  I've not got to having a closer look at those.

Comment 33 Fedora Update System 2009-11-06 18:32:01 UTC
xpdf-3.02-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 34 Jan Lieskovsky 2009-12-12 12:01:05 UTC
Duplicate CVE identifier of CVE-2009-3908 has been also (by mistake)
assigned for this:

Name: CVE-2009-3908
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3908
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20091109
Category:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-3608. Reason:
This candidate is a duplicate of CVE-2009-3608. A typo caused the
wrong ID to be used. Notes: All CVE users should reference
CVE-2009-3608 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental
usage.

Comment 35 Fedora Update System 2010-02-20 00:11:35 UTC
pdfedit-0.4.3-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 36 Fedora Update System 2010-02-20 00:23:51 UTC
pdfedit-0.4.3-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 37 Fedora Update System 2010-02-20 00:25:30 UTC
pdfedit-0.4.3-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 43 errata-xmlrpc 2010-05-06 19:09:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0400 https://rhn.redhat.com/errata/RHSA-2010-0400.html


Note You need to log in before you can comment on or make changes to this bug.