Bug 672181 - (CVE-2010-4654) CVE-2010-4654 xpdf: corruption of the Gfx contexts states stack
CVE-2010-4654 xpdf: corruption of the Gfx contexts states stack
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=vendor-sec,re...
: Security
Depends On:
Blocks: 734819
  Show dependency treegraph
 
Reported: 2011-01-24 05:25 EST by Tomas Hoger
Modified: 2015-07-31 02:36 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2011-01-24 05:25:24 EST
Dan Rosenberg reported an issue in xpdf/poppler code base:

  http://thread.gmane.org/gmane.comp.security.oss.general/4109

  Malformed commands may cause corruption of the internal stack used
  to maintain graphics contexts, leading to potentially exploitable
  memory corruption.

Acknowledgements:

Red Hat would like to thank Dan Rosenberg for reporting this issue.
Comment 1 Tomas Hoger 2011-01-24 05:39:02 EST
Upstream poppler git commit that adds stack guards:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9

This fix changes API and ABI of the Gfx class.  This is part of Xpdf headers bundled in poppler-devel in Fedora and RHEL-6.  poppler upstream makes certain API/ABI stability promises for supported frontends (glib, Qt4), but not for legacy Xpdf APIs, which are used by some programs (texlive, gimp, or openoffice.org).
Comment 4 Tomas Hoger 2011-01-25 10:48:08 EST
SUSE xpdf packages maintainer tracked this crash down to q (saveState) / Q (restoreState) graphics operations imbalance.  While the patch mentioned in comment #1 adds additional guards to the graphics states stack, earlier commit tries to address q/Q imbalance:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=17345173

This fix is included in RHEL-6 poppler.  RHEL-5 poppler does not include this fix, but does not seem to crash on the Dan's reproducer either.

Note You need to log in before you can comment on or make changes to this bug.