oss-sec mailing list archives
Re: CVE request: xpdf
From: Josh Bressers <bressers () redhat com>
Date: Mon, 24 Jan 2011 13:32:11 -0500 (EST)
----- Original Message -----
I identified two issues in xpdf. I don't think the first requires a CVE, since it's incredibly unlikely to be exploitable, but I include it here in case someone disagrees. 1. Due to an integer overflow when parsing CharCodes for fonts and a failure to check the return value of a memory allocation, it is possible to trigger writes to a narrow range of offsets from a NULL pointer. The chance of being able to exploit this for anything other than a crash is very remote: on x86 32-bit, there's no chance (since the write occurs between 0xffffffc4 and 0xfffffffc). At least the write lands in valid userspace on x86-64, but in my testing this memory is never mapped. Fixed in poppler commit at [1], hopefully fixed soon at xpdf upstream.
I'm going to give this an ID. Better safe than sorry. CVE-2010-4653
2. Malformed commands may cause corruption of the internal stack used to maintain graphics contexts, leading to potentially exploitable memory corruption. Fixed in poppler commit at [2], hopefully fixed soon at xpdf upstream.
CVE-2010-4654
[1] http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659 [2] http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9
Thanks. -- JB
Current thread:
- CVE request: xpdf Dan Rosenberg (Jan 20)
- Re: CVE request: xpdf Josh Bressers (Jan 24)
- Re: CVE request: xpdf Michael Gilbert (Feb 01)
- Re: CVE request: xpdf Thomas Biege (Feb 08)
- Re: CVE request: xpdf Tomas Hoger (Feb 08)
- Re: CVE request: xpdf Thomas Biege (Feb 08)