Chris evans discovered some further security issues. On the page mentioned above are some demo PDFs which reproduce the crashes and can be used to check the patch. I will attach the patch (original KDE patch by Dirk Mueller, ported to current poppler 0.4.3 by me).
Created attachment 4246 [details] [review] patch For your convenience and for the CVE numbers, this is the changelog I used: * SECURITY UPDATE: Multiple integer/buffer overflows. * Add debian/patches/003-CVE-2005-3624_5_7.patch: - poppler/Stream.cc, CCITTFaxStream::CCITTFaxStream(): + Check columns for negative or large values. + CVE-2005-3624 - poppler/Stream.cc, numComps checks introduced in CVE-2005-3191 patch: + Reset numComps to 0 since it's a global variable that is used later. + CVE-2005-3627 - poppler/Stream.cc, DCTStream::readHuffmanTables(): + Fix out of bounds array access in Huffman tables. + CVE-2005-3627 - poppler/Stream.cc, DCTStream::readMarker(): + Check for EOF in while loop to prevent endless loops. + CVE-2005-3625 - poppler/JBIG2Stream.cc, JBIG2Bitmap::JBIG2Bitmap(), JBIG2Bitmap::expand(), JBIG2Stream::readHalftoneRegionSeg(): + Check user supplied width and height against invalid values. + Allocate one extra byte to prevent out of bounds access in combine().
Created attachment 4247 [details] [review] real patch hmm, something went wrong with the previous attachment, sorry.
Thanks, committed to 0.4.3. What about CVE-2005-3626?
I can't reproduce the FlateStream crash described in CVE-2005-3626 with the PDF mentioned in CESA-2005-003.txt: http://scary.beasts.org/misc/pending/bad6.pdf so I'm going to assume that's fixed. Closing bug.
(In reply to comment #3) > Thanks, committed to 0.4.3. What about CVE-2005-3626? This was indeed a newly discovered vulnerability, but the previous set of patches (CVE-2005-319[123] already covered it, so it cannot be exploited any more. So please feel free to add CVE-2005-3626 to the changelog. Also, CVE-2005-3628 was assigned to the fixes in xpdf/JBIG2Stream.cc.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.