Bug 672181 (CVE-2010-4654) - CVE-2010-4654 xpdf: corruption of the Gfx contexts states stack
Summary: CVE-2010-4654 xpdf: corruption of the Gfx contexts states stack
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4654
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 734819
TreeView+ depends on / blocked
 
Reported: 2011-01-24 10:25 UTC by Tomas Hoger
Modified: 2023-05-11 16:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-19 21:47:15 UTC
Embargoed:


Attachments (Terms of Use)

Description Tomas Hoger 2011-01-24 10:25:24 UTC
Dan Rosenberg reported an issue in xpdf/poppler code base:

  http://thread.gmane.org/gmane.comp.security.oss.general/4109

  Malformed commands may cause corruption of the internal stack used
  to maintain graphics contexts, leading to potentially exploitable
  memory corruption.

Acknowledgements:

Red Hat would like to thank Dan Rosenberg for reporting this issue.

Comment 1 Tomas Hoger 2011-01-24 10:39:02 UTC
Upstream poppler git commit that adds stack guards:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9

This fix changes API and ABI of the Gfx class.  This is part of Xpdf headers bundled in poppler-devel in Fedora and RHEL-6.  poppler upstream makes certain API/ABI stability promises for supported frontends (glib, Qt4), but not for legacy Xpdf APIs, which are used by some programs (texlive, gimp, or openoffice.org).

Comment 4 Tomas Hoger 2011-01-25 15:48:08 UTC
SUSE xpdf packages maintainer tracked this crash down to q (saveState) / Q (restoreState) graphics operations imbalance.  While the patch mentioned in comment #1 adds additional guards to the graphics states stack, earlier commit tries to address q/Q imbalance:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=17345173

This fix is included in RHEL-6 poppler.  RHEL-5 poppler does not include this fix, but does not seem to crash on the Dan's reproducer either.


Note You need to log in before you can comment on or make changes to this bug.