This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 526924 - (CVE-2009-3607) CVE-2009-3607 poppler: create_surface_from_thumbnail_data integer overflow
CVE-2009-3607 poppler: create_surface_from_thumbnail_data integer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
source=vendorsec,impact=important,rep...
: Security
Depends On: 530890
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-02 10:42 EDT by Tomas Hoger
Modified: 2016-03-04 05:59 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-28 07:01:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-10-02 10:42:44 EDT
Ludwig Nussel reported an integer overflow in poppler's create_surface_from_thumbnail_data() function.  cairo_pixels buffer is allocated as:

  cairo_pixels = (guchar *)g_malloc (4 * width * height);

  http://cgit.freedesktop.org/poppler/poppler/tree/glib/poppler-page.cc#n615

where width / height is read from PDF file.  Some validation of the values is done in Page::loadThumb(), but it is not sufficient to prevent the overflow:

  if (width > INT_MAX / 3 / height)

  http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Page.cc#n547

This code does not exist in poppler as shipped in EL5, nor it is part of xpdf.
Comment 1 Tomas Hoger 2009-10-15 03:37:42 EDT
Lifting embargo, fix should get committed to upstream git soon.  This was likely missed before while hardening other gmalloc uses (#526911#c17), as this uses glib's g_malloc and not xpdf/poppler's gmalloc.
Comment 2 Tomas Hoger 2009-10-20 05:50:52 EDT
Upstream fix:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=c839b706
Comment 4 Fedora Update System 2009-10-26 08:19:01 EDT
poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10
Comment 5 Fedora Update System 2009-10-26 08:20:27 EDT
poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11
Comment 6 Fedora Update System 2009-10-27 03:05:06 EDT
poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-10-27 03:15:09 EDT
poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Jan Lieskovsky 2009-12-12 06:56:38 EST
Duplicate CVE identifier of CVE-2009-3907 has been also (by mistake)
assigned to this issue:

Name: CVE-2009-3907
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3907
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20091109
Category:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-3607. Reason:
This candidate is a duplicate of CVE-2009-3607. A typo caused the
wrong ID to be used. Notes: All CVE users should reference
CVE-2009-3607 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental
usage.

Note You need to log in before you can comment on or make changes to this bug.