Bug 5516 - New security issues
Summary: New security issues
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: x86 (IA32) Linux (All)
: high critical
Assignee: Kristian Høgsberg
QA Contact:
URL: http://scary.beasts.org/security/b0df...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-05 23:46 UTC by Martin Pitt
Modified: 2006-01-11 03:36 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments
patch (186.86 KB, patch)
2006-01-05 23:49 UTC, Martin Pitt 		Details | Splinter Review
real patch (4.51 KB, patch)
2006-01-05 23:51 UTC, Martin Pitt 		Details | Splinter Review
Show Obsolete (1) View All

Description Martin Pitt 2006-01-05 23:46:52 UTC 
Chris evans discovered some further security issues. On the page mentioned above
are some demo PDFs which reproduce the crashes and can be used to check the patch.

I will attach the patch (original KDE patch by Dirk Mueller, ported to current
poppler 0.4.3 by me).
Comment 1 Martin Pitt 2006-01-05 23:49:00 UTC 
Created attachment 4246 [details] [review]
patch

For your convenience and for the CVE numbers, this is the changelog I used:

  * SECURITY UPDATE: Multiple integer/buffer overflows.
  * Add debian/patches/003-CVE-2005-3624_5_7.patch:
    - poppler/Stream.cc, CCITTFaxStream::CCITTFaxStream():
      + Check columns for negative or large values.
      + CVE-2005-3624
    - poppler/Stream.cc, numComps checks introduced in CVE-2005-3191 patch:
      + Reset numComps to 0 since it's a global variable that is used later.
      + CVE-2005-3627
    - poppler/Stream.cc, DCTStream::readHuffmanTables():
      + Fix out of bounds array access in Huffman tables.
      + CVE-2005-3627
    - poppler/Stream.cc, DCTStream::readMarker():
      + Check for EOF in while loop to prevent endless loops.
      + CVE-2005-3625
    - poppler/JBIG2Stream.cc, JBIG2Bitmap::JBIG2Bitmap(),
      JBIG2Bitmap::expand(), JBIG2Stream::readHalftoneRegionSeg():
      + Check user supplied width and height against invalid values.
      + Allocate one extra byte to prevent out of bounds access in combine().
Comment 2 Martin Pitt 2006-01-05 23:51:11 UTC 
Created attachment 4247 [details] [review]
real patch

hmm, something went wrong with the previous attachment, sorry.
Comment 3 Kristian Høgsberg 2006-01-11 06:52:38 UTC 
Thanks, committed to 0.4.3.  What about CVE-2005-3626?
Comment 4 Kristian Høgsberg 2006-01-11 08:21:44 UTC 
I can't reproduce the FlateStream crash described in CVE-2005-3626 with the PDF
mentioned in CESA-2005-003.txt:

  http://scary.beasts.org/misc/pending/bad6.pdf

so I'm going to assume that's fixed.  Closing bug.
Comment 5 Martin Pitt 2006-01-11 22:36:35 UTC 
(In reply to comment #3)
> Thanks, committed to 0.4.3.  What about CVE-2005-3626?

This was indeed a newly discovered vulnerability, but the previous set of
patches (CVE-2005-319[123] already covered it, so it cannot be exploited any more.

So please feel free to add CVE-2005-3626 to the changelog. Also, CVE-2005-3628
was assigned to the fixes in xpdf/JBIG2Stream.cc.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.