Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 290430

Summary: app-text/poppler < 0.12.1 OR app-text/xpdf < 3.02pl4: Xpdf Multiple Integer Overflow Vulnerabilities (CVE-2009-{3603,3604,3606,3607,3608,3609})
Product: Gentoo Security Reporter: Dawoud <d.s.j.birch>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: asolokha, esigra, pacho, yngwin
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 290464, 290470    
Bug Blocks:    

Description Dawoud 2009-10-25 07:34:56 UTC
Both projects are vulnerable to an integer overflow during heap memory allocation when processing a PDF file. In general, this results in unexpected process termination. If an application using this code is multi-threaded (or uses a crash signal handler), it may be possible to execute arbitrary code.

Reproducible: Didn't try

Steps to Reproduce:
A specially crafted pdf file would produce the problem. I am trying to get one (I dunno how to make it myself) from the author of the original alert.



ocert-2009-016 (www.ocert.org)

#2009-016 Poppler, xpdf integer overflow during heap allocation

Description:

Poppler and Xpdf are two popular open source projects for processing PDF files. Both projects are vulnerable to an integer overflow during heap memory allocation when processing a PDF file. In general, this results in unexpected process termination. If an application using this code is multi-threaded (or uses a crash signal handler), it may be possible to execute arbitrary code.

The vulnerability resides in the object stream handler. In particular, a multiplicative overflow occurs when a large number of embedded objects are specified. An overflow check was in place in the code, but it only protected related calls to gmalloc(). The C++ object array allocation code (new[]) is not guarded by the upper bound check and the call to new[] does not result in an exception with gcc (http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351). This results in bytes being written after the valid heap allocation during object construction. This results in bytes being written after the valid heap allocation during object construction.

Both software packages have released fixed versions which limit the allowed object count to a domain specific value.

A detailed analysis has been made available by the reporter (http://sites.google.com/site/em386cr/Home/CVE-2009-3608-explained.txt).
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-25 15:18:15 UTC
CVE-2009-3603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3603):
  Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf
  3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote
  attackers to execute arbitrary code via a crafted PDF document that
  triggers a heap-based buffer overflow.  NOTE: some of these details
  are obtained from third party information.  NOTE: this issue
  reportedly exists because of an incomplete fix for CVE-2009-1188.

CVE-2009-3604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3604):
  The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x
  before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics
  KPDF, does not properly allocate memory, which allows remote
  attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted PDF document that
  triggers a NULL pointer dereference or a heap-based buffer overflow.

CVE-2009-3606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3606):
  Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf
  before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might
  allow remote attackers to execute arbitrary code via a crafted PDF
  document that triggers a heap-based buffer overflow.

CVE-2009-3607 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3607):
  Integer overflow in the create_surface_from_thumbnail_data function
  in glib/poppler-page.cc in Poppler 0.x allows remote attackers to
  cause a denial of service (memory corruption) or possibly execute
  arbitrary code via a crafted PDF document that triggers a heap-based
  buffer overflow.  NOTE: some of these details are obtained from third
  party information.

CVE-2009-3608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3608):
  Integer overflow in the ObjectStream::ObjectStream function in
  XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used
  in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow
  remote attackers to execute arbitrary code via a crafted PDF document
  that triggers a heap-based buffer overflow.

CVE-2009-3609 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3609):
  Integer overflow in the ImageStream::ImageStream function in
  Stream.cc in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used
  in GPdf, kdegraphics KPDF, and CUPS pdftops, allows remote attackers
  to cause a denial of service (application crash) via a crafted PDF
  document that triggers a NULL pointer dereference or buffer over-read.

Comment 2 Arseny Solokha 2009-12-01 12:45:19 UTC
Poppler 0.12.2 released on November 18th, 2009. It fixes at least CVE-2009-3607. Please let me now if I should file separate bug (enhancement, because it's version bump request, after all) on it.
Comment 3 Ben de Groot (RETIRED) gentoo-dev 2010-01-15 22:56:24 UTC
I committed 0.12.3. Does that fix all remaining issues?
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2012-01-27 21:23:45 UTC
poppler < 0.12.1 is already long gone from the tree

not sure about our xpdf patchlevel but I just masked it and sent out the lastriting e-mail ("unmaintainable mess, no real maintainer").
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2012-02-28 20:44:33 UTC
(In reply to comment #4)
> poppler < 0.12.1 is already long gone from the tree
> 
> not sure about our xpdf patchlevel but I just masked it and sent out the
> lastriting e-mail ("unmaintainable mess, no real maintainer").

And now xpdf is also gone from the portage tree.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2013-03-16 11:43:48 UTC
Will anyone still read this GLSA if it ever comes out? Come on, stable is poppler-0.20 by now.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-10-06 16:08:27 UTC
This issue was resolved and addressed in
 GLSA 201310-03 at http://security.gentoo.org/glsa/glsa-201310-03.xml
by GLSA coordinator Sean Amoss (ackle).