Bug 595245 (CVE-2010-3702) - CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference
Summary: CVE-2010-3702 xpdf: uninitialized Gfx::parser pointer dereference
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3702
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Engineering639826 Engineering639827 Engineering639828 Engineering639829 Engineering639830 Engineering639831 Engineering639832 Engineering639833 Engineering639834 Engineering639835 Engineering639836 Engineering639837 Engineering639838 Engineering639839 Engineering639840 Engineering639841 Engineering639842 Engineering639859 Engineering639860 639861 Engineering639868 Engineering639875 652108 Engineering773177 Engineering773178 Engineering773180 Engineering833917
Blocks: 638835
TreeView+ depends on / blocked
 
Reported: 2010-05-24 07:59 UTC by Tomas Hoger
Modified: 2019-09-29 12:36 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-15 16:48:21 UTC

Attachments (Terms of Use)
Proposed patch (609 bytes, patch)
2010-05-24 08:01 UTC, Tomas Hoger 		no flags Details | Diff
xpdf-3.02pl5.patch (1.04 KB, patch)
2010-10-25 08:12 UTC, Tomas Hoger 		no flags Details | Diff
patch used for tetex (611 bytes, patch)
2012-08-21 04:24 UTC, Huzaifa S. Sidhpurwala 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Launchpad 575107 0 None None None Never
Red Hat Product Errata RHSA-2010:0749 0 normal SHIPPED_LIVE Important: poppler security update 2010-10-07 15:05:08 UTC
Red Hat Product Errata RHSA-2010:0750 0 normal SHIPPED_LIVE Important: xpdf security update 2010-10-07 15:10:43 UTC
Red Hat Product Errata RHSA-2010:0751 0 normal SHIPPED_LIVE Important: xpdf security update 2010-10-07 15:26:14 UTC
Red Hat Product Errata RHSA-2010:0752 0 normal SHIPPED_LIVE Important: gpdf security update 2010-10-07 15:31:37 UTC
Red Hat Product Errata RHSA-2010:0753 0 normal SHIPPED_LIVE Important: kdegraphics security update 2010-10-07 15:52:11 UTC
Red Hat Product Errata RHSA-2010:0754 0 normal SHIPPED_LIVE Important: cups security update 2010-10-07 17:28:10 UTC
Red Hat Product Errata RHSA-2010:0755 0 normal SHIPPED_LIVE Important: cups security update 2010-10-07 17:48:32 UTC
Red Hat Product Errata RHSA-2010:0859 0 normal SHIPPED_LIVE Important: poppler security update 2010-11-09 18:14:53 UTC
Red Hat Product Errata RHSA-2012:1201 0 normal SHIPPED_LIVE Moderate: tetex security update 2012-08-23 18:55:35 UTC

Description Tomas Hoger 2010-05-24 07:59:07 UTC 
Sauli Pahlman of CERT-FI provided us with fuzzed PDF file which causes xpdf / poppler PDF parser to crash.

The crash is caused by an attempt to dereference uninitialized Gfx::parser pointer in Gfx::getPos(), which assumes parser is either NULL or valid Parser pointer.

http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Gfx.cc?id=71063d51#n879
Comment 2 Tomas Hoger 2010-05-24 08:01:18 UTC 
Created attachment 416048 [details]
Proposed patch

This makes sure that parser in initialized to NULL in Gfx constructors.
Comment 3 Tomas Hoger 2010-09-30 06:30:21 UTC 
(In reply to comment #2)
> Created attachment 416048 [details]
> Proposed patch
> 
> This makes sure that parser in initialized to NULL in Gfx constructors.

Upstream came up with the identical fix to my proposal based on what seems to be an independent report from Joel Voss:

http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf

http://secunia.com/advisories/41596/
Comment 7 Huzaifa S. Sidhpurwala 2010-10-04 08:54:44 UTC 
Created poppler tracking bugs for this issue

Affects: fedora-all [bug 639861]
Comment 14 Tomas Hoger 2010-10-07 14:40:47 UTC 
This is likely to affect other applications that embed xpdf code, such as pdfedit and koffice 1.x.  Official xpdf patch may appear later this week.
Comment 15 errata-xmlrpc 2010-10-07 15:05:17 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0749 https://rhn.redhat.com/errata/RHSA-2010-0749.html
Comment 16 errata-xmlrpc 2010-10-07 15:10:54 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0750 https://rhn.redhat.com/errata/RHSA-2010-0750.html
Comment 17 errata-xmlrpc 2010-10-07 15:26:24 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0751 https://rhn.redhat.com/errata/RHSA-2010-0751.html
Comment 18 errata-xmlrpc 2010-10-07 15:31:49 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0752 https://rhn.redhat.com/errata/RHSA-2010-0752.html
Comment 19 errata-xmlrpc 2010-10-07 15:52:21 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0753 https://rhn.redhat.com/errata/RHSA-2010-0753.html
Comment 20 errata-xmlrpc 2010-10-07 17:28:17 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2010:0754 https://rhn.redhat.com/errata/RHSA-2010-0754.html
Comment 21 errata-xmlrpc 2010-10-07 17:48:40 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0755 https://rhn.redhat.com/errata/RHSA-2010-0755.html
Comment 22 Tomas Hoger 2010-10-25 08:12:21 UTC 
Created attachment 455425 [details]
xpdf-3.02pl5.patch

xpdf upstream patch - xpdf-3.02pl5.patch

Fixes the issue in the same way poppler patch does.
Comment 23 errata-xmlrpc 2010-11-10 19:17:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0859 https://rhn.redhat.com/errata/RHSA-2010-0859.html
Comment 24 Huzaifa S. Sidhpurwala 2012-08-21 04:24:26 UTC 
Created attachment 605823 [details]
patch used for tetex
Comment 26 errata-xmlrpc 2012-08-23 14:58:01 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1201 https://rhn.redhat.com/errata/RHSA-2012-1201.html
Note You need to log in before you can comment on or make changes to this bug.