638835 – poppler/xpdf: multiple vulnerabilities

Bug 638835 - poppler/xpdf: multiple vulnerabilities

Summary: poppler/xpdf: multiple vulnerabilities

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	CVE-2010-3702 CVE-2010-3704 CVE-2010-3703
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-30 05:31 UTC by Huzaifa S. Sidhpurwala
Modified:	2019-09-29 12:39 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-10-06 14:35:09 UTC
Embargoed:

Attachments	(Terms of Use)
2fe825deac reproducer (93.59 KB, application/pdf) 2010-10-03 18:58 UTC, Tomas Hoger	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
FreeDesktop.org	30590	0	None	None	None	Never

Description Huzaifa S. Sidhpurwala 2010-09-30 05:31:36 UTC

Secunia reported multiple vulnerabilities in Poppler, caused due to memory 
leak errors, array indexing errors, and the use of uninitialized memory when
parsing malformed PDF files.
An attacker could use this flaw to create a specially-crafted
pdf file that, when opened, would cause an application linked against
poppler to crash, or, possibly execute arbitrary code.


Secunia link:
http://secunia.com/advisories/41596/

Upstream commits:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=473de6f88a055bb03470b4af5fa584be8cb5fda4
http://cgit.freedesktop.org/poppler/poppler/commit/?id=2fe825deac055be82b220d0127169cb3d61387a8
http://cgit.freedesktop.org/poppler/poppler/commit/?id=d2578bd66129466b2dd114b6407c147598e09d2b
http://cgit.freedesktop.org/poppler/poppler/commit/?id=c6a091512745771894b54a71613fd6b5ca1adcb3
http://cgit.freedesktop.org/poppler/poppler/commit/?id=39d140bfc0b8239bdd96d6a55842034ae5c05473
http://cgit.freedesktop.org/poppler/poppler/commit/?id=a2dab0238a69240dad08eca2083110b52ce488b7
http://cgit.freedesktop.org/poppler/poppler/commit/?id=3422638b2a39cbdd33a114a7d7debc0a5f688501
http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf
http://cgit.freedesktop.org/poppler/poppler/commit/?id=bf2055088a3a2d3bb3d3c37d464954ec1a25771f
http://cgit.freedesktop.org/poppler/poppler/commit/?id=dfdf3602bde47d1be7788a44722c258bfa0c6d6e
http://cgit.freedesktop.org/poppler/poppler/commit/?id=26a5817ffec9f05ac63db6c5cd5b1f0871d271c7
http://cgit.freedesktop.org/poppler/poppler/commit/?id=9706e28657ff7ea52aa69d9efb3f91d0cfaee70b

Comment 5 Tomas Hoger 2010-10-01 14:33:25 UTC

e853106b58, 39d140bfc0 and bf2055088a are tracked via separate bugs.

Some of the referenced commits are not classified as security fixes, for the summary, see:

http://thread.gmane.org/gmane.comp.security.oss.general/3584/focus=3596

Comment 6 Tomas Hoger 2010-10-03 18:57:04 UTC

Crash mentioned in 2fe825deac commit message seems to be OBJECT_TYPE_CHECK abort, with impact limited to unexpected application termination and is not classified as security fix.  This check and abort is specific to more recent poppler versions, the check does not exist in xpdf or RHEL5 poppler version.

There are additional instance of this problem in poppler code:
  https://bugs.freedesktop.org/show_bug.cgi?id=30590

Comment 7 Tomas Hoger 2010-10-03 18:58:27 UTC

Created attachment 451301 [details]
2fe825deac reproducer

Triggers abort when reading malformed /BBox

Comment 9 Huzaifa S. Sidhpurwala 2010-10-06 14:35:09 UTC

Issue are tracked using separate bugs mentioned in "Depends on".

Note You need to log in before you can comment on or make changes to this bug.