Bug 595245 (CVE-2010-3702) - CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference
Summary: CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3702
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 639826 639827 639828 639829 639830 639831 639832 639833 639834 639835 639836 639837 639838 639839 639840 639841 639842 639859 639860 639861 639868 639875 652108 773177 773178 773180 833917
Blocks: 638835
TreeView+ depends on / blocked
 
Reported: 2010-05-24 07:59 UTC by Tomas Hoger
Modified: 2019-09-29 12:36 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-15 16:48:21 UTC
Embargoed:


Attachments (Terms of Use)
Proposed patch (609 bytes, patch)
2010-05-24 08:01 UTC, Tomas Hoger
no flags Details | Diff
xpdf-3.02pl5.patch (1.04 KB, patch)
2010-10-25 08:12 UTC, Tomas Hoger
no flags Details | Diff
patch used for tetex (611 bytes, patch)
2012-08-21 04:24 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Launchpad 575107 0 None None None Never
Red Hat Product Errata RHSA-2010:0749 0 normal SHIPPED_LIVE Important: poppler security update 2010-10-07 15:05:08 UTC
Red Hat Product Errata RHSA-2010:0750 0 normal SHIPPED_LIVE Important: xpdf security update 2010-10-07 15:10:43 UTC
Red Hat Product Errata RHSA-2010:0751 0 normal SHIPPED_LIVE Important: xpdf security update 2010-10-07 15:26:14 UTC
Red Hat Product Errata RHSA-2010:0752 0 normal SHIPPED_LIVE Important: gpdf security update 2010-10-07 15:31:37 UTC
Red Hat Product Errata RHSA-2010:0753 0 normal SHIPPED_LIVE Important: kdegraphics security update 2010-10-07 15:52:11 UTC
Red Hat Product Errata RHSA-2010:0754 0 normal SHIPPED_LIVE Important: cups security update 2010-10-07 17:28:10 UTC
Red Hat Product Errata RHSA-2010:0755 0 normal SHIPPED_LIVE Important: cups security update 2010-10-07 17:48:32 UTC
Red Hat Product Errata RHSA-2010:0859 0 normal SHIPPED_LIVE Important: poppler security update 2010-11-09 18:14:53 UTC
Red Hat Product Errata RHSA-2012:1201 0 normal SHIPPED_LIVE Moderate: tetex security update 2012-08-23 18:55:35 UTC

Description Tomas Hoger 2010-05-24 07:59:07 UTC
Sauli Pahlman of CERT-FI provided us with fuzzed PDF file which causes xpdf / poppler PDF parser to crash.

The crash is caused by an attempt to dereference uninitialized Gfx::parser pointer in Gfx::getPos(), which assumes parser is either NULL or valid Parser pointer.

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Gfx.cc?id=71063d51#n879

Comment 2 Tomas Hoger 2010-05-24 08:01:18 UTC
Created attachment 416048 [details]
Proposed patch

This makes sure that parser in initialized to NULL in Gfx constructors.

Comment 3 Tomas Hoger 2010-09-30 06:30:21 UTC
(In reply to comment #2)
> Created attachment 416048 [details]
> Proposed patch
> 
> This makes sure that parser in initialized to NULL in Gfx constructors.

Upstream came up with the identical fix to my proposal based on what seems to be an independent report from Joel Voss:

http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf

http://secunia.com/advisories/41596/

Comment 7 Huzaifa S. Sidhpurwala 2010-10-04 08:54:44 UTC
Created poppler tracking bugs for this issue

Affects: fedora-all [bug 639861]

Comment 14 Tomas Hoger 2010-10-07 14:40:47 UTC
This is likely to affect other applications that embed xpdf code, such as pdfedit and koffice 1.x.  Official xpdf patch may appear later this week.

Comment 15 errata-xmlrpc 2010-10-07 15:05:17 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0749 https://rhn.redhat.com/errata/RHSA-2010-0749.html

Comment 16 errata-xmlrpc 2010-10-07 15:10:54 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0750 https://rhn.redhat.com/errata/RHSA-2010-0750.html

Comment 17 errata-xmlrpc 2010-10-07 15:26:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0751 https://rhn.redhat.com/errata/RHSA-2010-0751.html

Comment 18 errata-xmlrpc 2010-10-07 15:31:49 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0752 https://rhn.redhat.com/errata/RHSA-2010-0752.html

Comment 19 errata-xmlrpc 2010-10-07 15:52:21 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0753 https://rhn.redhat.com/errata/RHSA-2010-0753.html

Comment 20 errata-xmlrpc 2010-10-07 17:28:17 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0754 https://rhn.redhat.com/errata/RHSA-2010-0754.html

Comment 21 errata-xmlrpc 2010-10-07 17:48:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0755 https://rhn.redhat.com/errata/RHSA-2010-0755.html

Comment 22 Tomas Hoger 2010-10-25 08:12:21 UTC
Created attachment 455425 [details]
xpdf-3.02pl5.patch

xpdf upstream patch - xpdf-3.02pl5.patch

Fixes the issue in the same way poppler patch does.

Comment 23 errata-xmlrpc 2010-11-10 19:17:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0859 https://rhn.redhat.com/errata/RHSA-2010-0859.html

Comment 24 Huzaifa S. Sidhpurwala 2012-08-21 04:24:26 UTC
Created attachment 605823 [details]
patch used for tetex

Comment 26 errata-xmlrpc 2012-08-23 14:58:01 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html


Note You need to log in before you can comment on or make changes to this bug.