Bug 638835 - poppler/xpdf: multiple vulnerabilities
poppler/xpdf: multiple vulnerabilities
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100924,reported=20100929,sou...
: Security
Depends On: CVE-2010-3702 CVE-2010-3704 CVE-2010-3703
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-30 01:31 EDT by Huzaifa S. Sidhpurwala
Modified: 2015-07-31 02:32 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-06 10:35:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
2fe825deac reproducer (93.59 KB, application/pdf)
2010-10-03 14:58 EDT, Tomas Hoger
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 30590 None None None Never

  None (edit)
Description Huzaifa S. Sidhpurwala 2010-09-30 01:31:36 EDT
Secunia reported multiple vulnerabilities in Poppler, caused due to memory 
leak errors, array indexing errors, and the use of uninitialized memory when
parsing malformed PDF files.
An attacker could use this flaw to create a specially-crafted
pdf file that, when opened, would cause an application linked against
poppler to crash, or, possibly execute arbitrary code.


Secunia link:
http://secunia.com/advisories/41596/

Upstream commits:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=473de6f88a055bb03470b4af5fa584be8cb5fda4
http://cgit.freedesktop.org/poppler/poppler/commit/?id=2fe825deac055be82b220d0127169cb3d61387a8
http://cgit.freedesktop.org/poppler/poppler/commit/?id=d2578bd66129466b2dd114b6407c147598e09d2b
http://cgit.freedesktop.org/poppler/poppler/commit/?id=c6a091512745771894b54a71613fd6b5ca1adcb3
http://cgit.freedesktop.org/poppler/poppler/commit/?id=39d140bfc0b8239bdd96d6a55842034ae5c05473
http://cgit.freedesktop.org/poppler/poppler/commit/?id=a2dab0238a69240dad08eca2083110b52ce488b7
http://cgit.freedesktop.org/poppler/poppler/commit/?id=3422638b2a39cbdd33a114a7d7debc0a5f688501
http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf
http://cgit.freedesktop.org/poppler/poppler/commit/?id=bf2055088a3a2d3bb3d3c37d464954ec1a25771f
http://cgit.freedesktop.org/poppler/poppler/commit/?id=dfdf3602bde47d1be7788a44722c258bfa0c6d6e
http://cgit.freedesktop.org/poppler/poppler/commit/?id=26a5817ffec9f05ac63db6c5cd5b1f0871d271c7
http://cgit.freedesktop.org/poppler/poppler/commit/?id=9706e28657ff7ea52aa69d9efb3f91d0cfaee70b
Comment 5 Tomas Hoger 2010-10-01 10:33:25 EDT
e853106b58, 39d140bfc0 and bf2055088a are tracked via separate bugs.

Some of the referenced commits are not classified as security fixes, for the summary, see:

http://thread.gmane.org/gmane.comp.security.oss.general/3584/focus=3596
Comment 6 Tomas Hoger 2010-10-03 14:57:04 EDT
Crash mentioned in 2fe825deac commit message seems to be OBJECT_TYPE_CHECK abort, with impact limited to unexpected application termination and is not classified as security fix.  This check and abort is specific to more recent poppler versions, the check does not exist in xpdf or RHEL5 poppler version.

There are additional instance of this problem in poppler code:
  https://bugs.freedesktop.org/show_bug.cgi?id=30590
Comment 7 Tomas Hoger 2010-10-03 14:58:27 EDT
Created attachment 451301 [details]
2fe825deac reproducer

Triggers abort when reading malformed /BBox
Comment 9 Huzaifa S. Sidhpurwala 2010-10-06 10:35:09 EDT
Issue are tracked using separate bugs mentioned in "Depends on".

Note You need to log in before you can comment on or make changes to this bug.