oss-security February 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: xpdf

Re: [oss-security] CVE request: xpdf

From: Thomas Biege <thomas_at_nospam>
Date: Tue Feb 08 2011 - 11:15:41 GMT
To: oss-security@lists.openwall.com

Am Dienstag 08 Februar 2011 11:54:16 schrieb Thomas Biege:
>
> Should CVE-IDs be assigned to this issues?

Sorry, I missed Josh'd mail.

>
> Am Freitag 21 Januar 2011 00:15:49 schrieb Dan Rosenberg:
> > I identified two issues in xpdf. I don't think the first requires a
> > CVE, since it's incredibly unlikely to be exploitable, but I include
> > it here in case someone disagrees.
> >
> > 1. Due to an integer overflow when parsing CharCodes for fonts and a
> > failure to check the return value of a memory allocation, it is
> > possible to trigger writes to a narrow range of offsets from a NULL
> > pointer. The chance of being able to exploit this for anything other
> > than a crash is very remote: on x86 32-bit, there's no chance (since
> > the write occurs between 0xffffffc4 and 0xfffffffc). At least the
> > write lands in valid userspace on x86-64, but in my testing this
> > memory is never mapped. Fixed in poppler commit at [1], hopefully
> > fixed soon at xpdf upstream.
> >
> > 2. Malformed commands may cause corruption of the internal stack used
> > to maintain graphics contexts, leading to potentially exploitable
> > memory corruption. Fixed in poppler commit at [2], hopefully fixed
> > soon at xpdf upstream.
> >
> > -Dan
> >
> > [1] http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659
> > [2] http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9
> >
>
>

-- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach