Bug 5516

Summary: New security issues
Product: poppler Reporter: Martin Pitt <martin.pitt>
Component: generalAssignee: Kristian Høgsberg <krh>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: high    
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
URL: http://scary.beasts.org/security/b0dfca810501f2da/CESA-2005-003.txt
Whiteboard:
i915 platform: i915 features:
Attachments: patch
real patch

Description Martin Pitt 2006-01-05 23:46:52 UTC 
Chris evans discovered some further security issues. On the page mentioned above
are some demo PDFs which reproduce the crashes and can be used to check the patch.

I will attach the patch (original KDE patch by Dirk Mueller, ported to current
poppler 0.4.3 by me).
Comment 1 Martin Pitt 2006-01-05 23:49:00 UTC 
Created attachment 4246 [details] [review]
patch

For your convenience and for the CVE numbers, this is the changelog I used:

  * SECURITY UPDATE: Multiple integer/buffer overflows.
  * Add debian/patches/003-CVE-2005-3624_5_7.patch:
    - poppler/Stream.cc, CCITTFaxStream::CCITTFaxStream():
      + Check columns for negative or large values.
      + CVE-2005-3624
    - poppler/Stream.cc, numComps checks introduced in CVE-2005-3191 patch:
      + Reset numComps to 0 since it's a global variable that is used later.
      + CVE-2005-3627
    - poppler/Stream.cc, DCTStream::readHuffmanTables():
      + Fix out of bounds array access in Huffman tables.
      + CVE-2005-3627
    - poppler/Stream.cc, DCTStream::readMarker():
      + Check for EOF in while loop to prevent endless loops.
      + CVE-2005-3625
    - poppler/JBIG2Stream.cc, JBIG2Bitmap::JBIG2Bitmap(),
      JBIG2Bitmap::expand(), JBIG2Stream::readHalftoneRegionSeg():
      + Check user supplied width and height against invalid values.
      + Allocate one extra byte to prevent out of bounds access in combine().
Comment 2 Martin Pitt 2006-01-05 23:51:11 UTC 
Created attachment 4247 [details] [review]
real patch

hmm, something went wrong with the previous attachment, sorry.
Comment 3 Kristian Høgsberg 2006-01-11 06:52:38 UTC 
Thanks, committed to 0.4.3.  What about CVE-2005-3626?
Comment 4 Kristian Høgsberg 2006-01-11 08:21:44 UTC 
I can't reproduce the FlateStream crash described in CVE-2005-3626 with the PDF
mentioned in CESA-2005-003.txt:

  http://scary.beasts.org/misc/pending/bad6.pdf

so I'm going to assume that's fixed.  Closing bug.
Comment 5 Martin Pitt 2006-01-11 22:36:35 UTC 
(In reply to comment #3)
> Thanks, committed to 0.4.3.  What about CVE-2005-3626?

This was indeed a newly discovered vulnerability, but the previous set of
patches (CVE-2005-319[123] already covered it, so it cannot be exploited any more.

So please feel free to add CVE-2005-3626 to the changelog. Also, CVE-2005-3628
was assigned to the fixes in xpdf/JBIG2Stream.cc.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.