Bug 638960 (CVE-2010-3704) - CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse()
Summary: CVE-2010-3704 xpdf: array indexing error in FoFiType1::parse()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 639829 639830 639831 639832 639833 639834 639839 639840 639841 639842 639859 639860 639861 639868 639875 652108 773178 773180 833917
Blocks: 638835
TreeView+ depends on / blocked
 
Reported: 2010-09-30 13:52 UTC by Tomas Hoger
Modified: 2019-09-29 12:39 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-26 15:46:12 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0749 normal SHIPPED_LIVE Important: poppler security update 2010-10-07 15:05:08 UTC
Red Hat Product Errata RHSA-2010:0751 normal SHIPPED_LIVE Important: xpdf security update 2010-10-07 15:26:14 UTC
Red Hat Product Errata RHSA-2010:0752 normal SHIPPED_LIVE Important: gpdf security update 2010-10-07 15:31:37 UTC
Red Hat Product Errata RHSA-2010:0753 normal SHIPPED_LIVE Important: kdegraphics security update 2010-10-07 15:52:11 UTC
Red Hat Product Errata RHSA-2010:0859 normal SHIPPED_LIVE Important: poppler security update 2010-11-09 18:14:53 UTC
Red Hat Product Errata RHSA-2012:1201 normal SHIPPED_LIVE Moderate: tetex security update 2012-08-23 18:55:35 UTC

Description Tomas Hoger 2010-09-30 13:52:36 UTC
An array indexing error was found in the way xpdf / poppler parsed Type1 fonts embedded in PDF documents.  In FoFiType1::parse(), text representation of the numeric code value was converted to integer value using atoi().  This value was checked to ensure it's less than 256, but there was no check to ensure it's not negative (string passed to atoi() was checked to only contain characters '0'-'9' before the call though).  On platforms, where atoi() could return negative result when parsing large positive values (exceeding INT_MAX), this could could lead to write out of array bounds due to use of negative index.

poppler upstream commit:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=39d140bfc0b8239bdd96d6a55842034ae5c05473

Reference:
http://secunia.com/advisories/41596/

Comment 2 Tomas Hoger 2010-09-30 14:00:14 UTC
(In reply to comment #0)
> On platforms, where atoi() could return negative result when parsing large
> positive values (exceeding INT_MAX), this could could lead to write out of
> array bounds due to use of negative index.

This does happen on e.g. x86_64, but does not happen on i386.

Affected code is present in xpdf versions 3.00 and later, it is not part of xpdf 2.x (so EL3 is not affected, EL4 tetex is not affected).

Comment 4 Huzaifa S. Sidhpurwala 2010-10-04 08:55:33 UTC
Created poppler tracking bugs for this issue

Affects: fedora-all [bug 639861]

Comment 7 Tomas Hoger 2010-10-07 14:40:42 UTC
This is likely to affect other applications that embed xpdf code, such as pdfedit and koffice 1.x.  Official xpdf patch may appear later this week.

Comment 8 errata-xmlrpc 2010-10-07 15:05:21 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0749 https://rhn.redhat.com/errata/RHSA-2010-0749.html

Comment 9 errata-xmlrpc 2010-10-07 15:26:27 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0751 https://rhn.redhat.com/errata/RHSA-2010-0751.html

Comment 10 errata-xmlrpc 2010-10-07 15:31:51 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0752 https://rhn.redhat.com/errata/RHSA-2010-0752.html

Comment 11 errata-xmlrpc 2010-10-07 15:52:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0753 https://rhn.redhat.com/errata/RHSA-2010-0753.html

Comment 12 Tomas Hoger 2010-10-25 08:13:09 UTC
xpdf upstream fixed this via xpdf-3.02pl5.patch, see bug #595245, comment #22.

Comment 13 errata-xmlrpc 2010-11-10 19:17:58 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0859 https://rhn.redhat.com/errata/RHSA-2010-0859.html

Comment 14 errata-xmlrpc 2012-08-23 14:58:07 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html


Note You need to log in before you can comment on or make changes to this bug.