Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 580105 - (CVE-2010-0206) CVE-2010-0206 xpdf: Invalid pointer dereference by processing JBIG2 PDF stream objects
CVE-2010-0206 xpdf: Invalid pointer dereference by processing JBIG2 PDF strea...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Red Hat Product Security
impact=none,source=cert,reported=2010...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-07 09:53 EDT by Jan Lieskovsky
Modified: 2015-08-19 04:45 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-19 11:29:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 28170 None None None Never

  None (edit)
Description Jan Lieskovsky 2010-04-07 09:53:55 EDT 
An invalid pointer dereference was found in the way xpdf
processed JBIG2 PDF stream objects in the PDF file catalog.
If a local user was tricked into opening a specially-crafted
Portable Document Format (PDF) file, it could lead to denial
of service (xpdf crash) or, potentially, to arbitrary code
execution with the privileges of the user running xpdf.
Comment 11 Josh Bressers 2010-04-14 14:28:38 EDT 
(In reply to comment #10)
> i tested xpdf-3.00-23.el4_8.1.i386. The sample1.pdf caused a crash xpdf but no
> crash in pdftops.    

This crash is a NULL pointer dereference:
Program received signal SIGSEGV, Segmentation fault.
0x08076cf4 in ~JArithmeticDecoder (this=0x8838628) at JArithmeticDecoder.cc:107
107	  return (Guint)str->getChar() & 0xff;
(gdb) print str
$1 = (class Stream *) 0x0


I'll do some additional testing, but I suspect this is a DoS only
Comment 12 Josh Bressers 2010-04-14 16:18:32 EDT 
I got the same results as above with gpdf and kpdf.

I'm going to write this one off as a DoS only, which matches the results Canonical found.
Comment 15 Tomas Hoger 2010-04-19 11:29:59 EDT 
Closing this one not-a-security-bug, as it's NULL pointer dereference only (see comment #11 and comment #12).
Comment 16 Tomas Hoger 2010-04-20 05:41:01 EDT 
(In reply to comment #11)

> This crash is a NULL pointer dereference:
> Program received signal SIGSEGV, Segmentation fault.
> 0x08076cf4 in ~JArithmeticDecoder (this=0x8838628) at JArithmeticDecoder.cc:107
> 107   return (Guint)str->getChar() & 0xff;
> (gdb) print str
> $1 = (class Stream *) 0x0

The crash in recent poppler versions is different, but still NULL pointer dereference issue.  JBIG2Bitmap::getSlice() gets called with large values in wA/hA arguments:

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n740

It calls JBIG2Bitmap::JBIG2Bitmap():

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/JBIG2Stream.cc?id=e9501070#n700

which contains protection against integer overflow / under-allocation of the data[] buffer, and leaves data set to NULL if integer overflow is detected.

JBIG2Bitmap::getSlice() subsequently calls JBIG2Bitmap::clearToZero(), which does memset(data, ...), resulting in NULL pointer dereference crash.
Comment 17 Tomas Hoger 2010-05-19 05:22:56 EDT 
Reported upstream:
  https://bugs.freedesktop.org/show_bug.cgi?id=28170
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.