526915 – (CVE-2009-3603) CVE-2009-3603 xpdf/poppler: SplashBitmap::SplashBitmap integer overflow

Bug 526915 (CVE-2009-3603) - CVE-2009-3603 xpdf/poppler: SplashBitmap::SplashBitmap integer overflow

Summary: CVE-2009-3603 xpdf/poppler: SplashBitmap::SplashBitmap integer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-3603
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	527403 527404 527413 527414 527454 527455 527456 527457 527468 527469 530890 833916
Blocks:
TreeView+	depends on / blocked

Reported:	2009-10-02 13:51 UTC by Tomas Hoger
Modified:	2019-09-29 12:32 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-10-28 11:02:29 UTC
Embargoed:

Attachments	(Terms of Use)
xpdf upstream patch from Derek B. Noonburg (2.01 KB, patch) 2009-10-02 13:51 UTC, Tomas Hoger	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2009:1504	0	normal	SHIPPED_LIVE	Important: poppler security and bug fix update	2009-10-15 08:51:17 UTC

Description Tomas Hoger 2009-10-02 13:51:21 UTC

Integer overflow was discovered in SplashBitmap::SplashBitmap when computing memory allocation requirements.  This issue was previously reported as CVE-2009-1188 / bug #495907 and addressed in poppler via gmalloc -> gmallocn change via:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2

However, such fix is not sufficient, as overflow can occur even during rowSize calculation.

Splash output device is not present in xpdf 2.x, it's also not in the xpdf code embedded in CUPS or tetex.

Comment 1 Tomas Hoger 2009-10-02 13:51:56 UTC

Created attachment 363486 [details]
xpdf upstream patch from Derek B. Noonburg

Comment 12 Tomas Hoger 2009-10-15 07:40:23 UTC

xpdf is fixed now for the CVE-2009-1188/CVE-2009-3603 in xpdf-3.02pl4:
  ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
  https://bugzilla.redhat.com/show_bug.cgi?id=526637#c14

Comment 13 errata-xmlrpc 2009-10-15 08:51:47 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1504 https://rhn.redhat.com/errata/RHSA-2009-1504.html

Comment 15 Fedora Update System 2009-10-26 12:18:43 UTC

poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10

Comment 16 Fedora Update System 2009-10-26 12:20:10 UTC

poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11

Comment 17 Fedora Update System 2009-10-27 07:04:41 UTC

poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2009-10-27 07:14:40 UTC

poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.