Bug 498682 (CVE-2009-0947, CVE-2009-0948) - CVE-2009-0947, CVE-2009-0948 file: multiple memory corruption issues
Summary: CVE-2009-0947, CVE-2009-0948 file: multiple memory corruption issues
Alias: CVE-2009-0947, CVE-2009-0948
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-05-01 21:17 UTC by Vincent Danen
Modified: 2019-09-29 12:30 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-05-11 15:40:30 UTC

Attachments (Terms of Use)
patch from Apple to correct the issues (1.92 KB, patch)
2009-05-01 21:21 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2009-05-01 21:17:37 UTC
Drew Yao of Apple Product Security discovered several memory corruption issues in file 5.00 in the CDF parsing implementation.

The first is an integer overflow in cdf_read_property_info(), and the second is an integer overflow in cdf_read_sat().  Both have been assigned CVE-2009-0947.

The third issue is buffer overflows in cdf_read_sat(), cdf_read_long_sector_chain(), and cdf_read_ssat().  These issues have been assigned CVE-2009-0948.

These issues only affect file 5.00, and not earlier versions, due to introduced support for CDF (Common Document Format) files in file 5.00.  Because of this, only Fedora 11 is affected by these issues.

Comment 2 Vincent Danen 2009-05-01 21:21:52 UTC
Created attachment 342155 [details]
patch from Apple to correct the issues

This is a proposed patch from Drew Yao that corrects the issues.

Comment 4 Vincent Danen 2009-05-01 21:41:03 UTC
Upstream released 5.01:


The announcement notes the CDF issues, but doesn't note the memory corruption issues.

The upstream author also notes:

"These were not the only memory corrupting issues; 5.01 was released
yesterday to address the ones you found and more (Such as DoS
attacks with looping sector chains)."

There are no CVE's assigned based on the upstream changelog, so I suspect this embargo will be short-lived.

Comment 5 Vincent Danen 2009-05-04 19:54:33 UTC
Upstream has released 5.02 which corrects these issues.

Comment 7 Vincent Danen 2009-05-11 15:40:30 UTC
File has been updated to 5.02 in Fedora 11, fixing these issues.

Note You need to log in before you can comment on or make changes to this bug.