75191 2004-12-21 08:44 0000 app-text/xpdf: New buffer overflow (CAN-2004-1125) 2006-03-23 19:21:02 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities&flashstatus=true A2 [glsa] P2 major --- 1 koon@gentoo.org security@gentoo.org printing@gentoo.org koon@gentoo.org 2004-12-21 08:44:11 0000 Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability iDEFENSE Security Advisory 12.21.04 www.idefense.com/application/poi/display?id=172&type=vulnerabilities December 21, 2004 I. BACKGROUND Xpdf is an open-source viewer for Portable Document Format (PDF) files. II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer, as included in multiple Linux distributions, could allow attackers to execute arbitrary code as the user viewing a PDF file. The offending code can be found in the Gfx::doImage() function in the source file xpdf/Gfx.cc. void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) { Dict *dict; int width, height; int bits; GBool mask; GBool invert; GfxColorSpace *colorSpace; GfxImageColorMap *colorMap; Object maskObj; GBool haveMask; int maskColors[2*gfxColorMaxComps]; Object obj1, obj2; int i; ... // get the mask haveMask = gFalse; dict->lookup("Mask", &maskObj); if (maskObj.isArray()) { for (i = 0; i < maskObj.arrayGetLength(); ++i) { maskObj.arrayGet(i, &obj1); [!] maskColors[i] = obj1.getInt(); obj1.free(); } haveMask = gTrue; } ... } Due to the fact that the loop boundaries are not less than the storage area, the maskColors array is eventually filled up. After that, local variables and other stack memory is overwritten. This ultimately leads to control of program flow and arbitrary code execution. III. ANALYSIS The severity of this issue is mitigated by the fact that several of the local overwritten variables in doImage() are referenced prior to EIP being restored; therefore, before the attack gains control of the target process. However, an attacker with knowledge of the remote operating system can construct and validate a malicious payload before attempting exploitation, thus increasing the chances of success. An attacker must convince a target user to open the malicious file to exploit this vulnerability. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in version 3.00 of xpdf. It is suspected previous versions are also vulnerable. The following Linux distributions are affected by this vulnerability: SUSE Linux Redhat Linux Fedora Linux Debian Linux Gentoo Linux FreeBSD (ports) OpenBSD V. WORKAROUND Only open PDF files from trusted individuals. VI. VENDOR RESPONSE A patch to address this vulnerability is available from: ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch Updated binaries (version 3.00pl2) are available from: http://www.foolabs.com/xpdf/download.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-1125 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/23/2004 Initial vendor notification 11/29/2004 Initial vendor response 12/21/2004 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. koon@gentoo.org 2004-12-21 08:50:45 0000 The hideous security bug with multiple tentacles in other packages is back... printing : please bump xpdf using provided patch. koon@gentoo.org 2004-12-21 08:51:33 0000 Created an attachment (id=46548) xpdf-3.00pl2.patch patch from upstream, linked from iDEFENSE advisory carlo@gentoo.org 2004-12-21 08:52:20 0000 >The hideous security bug with multiple tentacles in other packages is back... You say it. :( lanius@gentoo.org 2004-12-24 05:34:33 0000 Bumped to -r7, stable on x86, ~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc vorlon@gentoo.org 2004-12-24 08:12:08 0000 arches, please test xpdf-3.00-r7 and mark stable if possible current KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc x86" target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86" fmccor@gentoo.org 2004-12-24 14:58:29 0000 Sparc is done. kugelfang@gentoo.org 2004-12-25 09:29:22 0000 Stable on amd64. corsair@gentoo.org 2004-12-25 12:53:03 0000 stable on ppc64 kloeri@gentoo.org 2004-12-26 16:29:21 0000 Stable on alpha. sejo@gentoo.org 2004-12-27 00:31:40 0000 stable on ppc koon@gentoo.org 2004-12-28 05:09:14 0000 GLSA 200412-24 ia64, hppa : please mark gpdf stable to benefit from GLSA killerfox@gentoo.org 2005-06-26 05:19:15 0000 Already stable on hppa 46548 2004-12-21 08:51 0000 xpdf-3.00pl2.patch xpdf-3.00pl2.patch text/plain KioqIEdmeC5jYy5vcmlnCVN1biBEZWMgMTIgMTY6MDQ6NDMgMjAwNAotLS0gR2Z4LmNjCVN1biBE ZWMgMTIgMTY6MDU6MTYgMjAwNAoqKioqKioqKioqKioqKioKKioqIDI2NTQsMjY2MCAqKioqCiAg ICAgIGhhdmVNYXNrID0gZ0ZhbHNlOwogICAgICBkaWN0LT5sb29rdXAoIk1hc2siLCAmbWFza09i aik7CiAgICAgIGlmIChtYXNrT2JqLmlzQXJyYXkoKSkgewohICAgICAgIGZvciAoaSA9IDA7IGkg PCBtYXNrT2JqLmFycmF5R2V0TGVuZ3RoKCk7ICsraSkgewogIAltYXNrT2JqLmFycmF5R2V0KGks ICZvYmoxKTsKICAJbWFza0NvbG9yc1tpXSA9IG9iajEuZ2V0SW50KCk7CiAgCW9iajEuZnJlZSgp OwotLS0gMjY1NCwyNjYyIC0tLS0KICAgICAgaGF2ZU1hc2sgPSBnRmFsc2U7CiAgICAgIGRpY3Qt Pmxvb2t1cCgiTWFzayIsICZtYXNrT2JqKTsKICAgICAgaWYgKG1hc2tPYmouaXNBcnJheSgpKSB7 CiEgICAgICAgZm9yIChpID0gMDsKISAJICAgaSA8IG1hc2tPYmouYXJyYXlHZXRMZW5ndGgoKSAm JiBpIDwgMipnZnhDb2xvck1heENvbXBzOwohIAkgICArK2kpIHsKICAJbWFza09iai5hcnJheUdl dChpLCAmb2JqMSk7CiAgCW1hc2tDb2xvcnNbaV0gPSBvYmoxLmdldEludCgpOwogIAlvYmoxLmZy ZWUoKTsKKioqIEdmeFN0YXRlLmNjLm9yaWcJU3VuIERlYyAxMiAxNjowNDo0OCAyMDA0Ci0tLSBH ZnhTdGF0ZS5jYwlTdW4gRGVjIDEyIDE2OjA2OjM4IDIwMDQKKioqKioqKioqKioqKioqCioqKiA3 MDgsNzEzICoqKioKLS0tIDcwOCw3MTggLS0tLQogICAgfQogICAgbkNvbXBzQSA9IG9iajIuZ2V0 SW50KCk7CiAgICBvYmoyLmZyZWUoKTsKKyAgIGlmIChuQ29tcHNBID4gZ2Z4Q29sb3JNYXhDb21w cykgeworICAgICBlcnJvcigtMSwgIklDQ0Jhc2VkIGNvbG9yIHNwYWNlIHdpdGggdG9vIG1hbnkg KCVkID4gJWQpIGNvbXBvbmVudHMiLAorIAkgIG5Db21wc0EsIGdmeENvbG9yTWF4Q29tcHMpOwor ICAgICBuQ29tcHNBID0gZ2Z4Q29sb3JNYXhDb21wczsKKyAgIH0KICAgIGlmIChkaWN0LT5sb29r dXAoIkFsdGVybmF0ZSIsICZvYmoyKS0+aXNOdWxsKCkgfHwKICAgICAgICAhKGFsdEEgPSBHZnhD b2xvclNwYWNlOjpwYXJzZSgmb2JqMikpKSB7CiAgICAgIHN3aXRjaCAobkNvbXBzQSkgewoqKioq KioqKioqKioqKioKKioqIDEwNTQsMTA2MCAqKioqCiAgICB9CiAgICBuQ29tcHNBID0gb2JqMS5h cnJheUdldExlbmd0aCgpOwogICAgaWYgKG5Db21wc0EgPiBnZnhDb2xvck1heENvbXBzKSB7CiEg ICAgIGVycm9yKC0xLCAiRGV2aWNlTiBjb2xvciBzcGFjZSB3aXRoIG1vcmUgdGhhbiAlZCA+ICVk IGNvbXBvbmVudHMiLAogIAkgIG5Db21wc0EsIGdmeENvbG9yTWF4Q29tcHMpOwogICAgICBuQ29t cHNBID0gZ2Z4Q29sb3JNYXhDb21wczsKICAgIH0KLS0tIDEwNTksMTA2NSAtLS0tCiAgICB9CiAg ICBuQ29tcHNBID0gb2JqMS5hcnJheUdldExlbmd0aCgpOwogICAgaWYgKG5Db21wc0EgPiBnZnhD b2xvck1heENvbXBzKSB7CiEgICAgIGVycm9yKC0xLCAiRGV2aWNlTiBjb2xvciBzcGFjZSB3aXRo IHRvbyBtYW55ICglZCA+ICVkKSBjb21wb25lbnRzIiwKICAJICBuQ29tcHNBLCBnZnhDb2xvck1h eENvbXBzKTsKICAgICAgbkNvbXBzQSA9IGdmeENvbG9yTWF4Q29tcHM7CiAgICB9Cg==