Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20101001151648.743c6993@redhat.com>
Date: Fri, 1 Oct 2010 15:16:48 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE requests: Poppler, Quassel, Pyfribidi,
 Overkill, DocUtils, FireGPG, Wireshark

On Wed, 29 Sep 2010 15:06:31 -0400 (EDT) Josh Bressers wrote:

> > 1. Poppler (might also affect xpdf and kpdf due to code heritage,
> > not determined yet)
> > http://secunia.com/advisories/41596/
> > -> Links to poppler git commits are given in the Secunia link
> 
> This needs to be properly understood. I'm not assigning IDs until
> someone does a proper triage.

e853106b58 is uninitialized pointer use flaw.  Pointer value may be
controlled by PDF content, hence if pointed to attacker-controlled
memory, code execution may be possible via virtual method call.  This
should date back to very old xpdf versions.

bf2055088a seems similar to the above one.  Pointer is to the class
that has not virtual methods, but may be used to corrupt memory.  This
should only affect poppler versions after b1d4efb082.

39d140bfc0 array indexing error / underflow.  On platforms where atoi
can return negative result, this can allow out-of-array-bounds write.
Code appears in old xpdf versions too.

There are few that don't seem worth calling security:
- memory leaks - 473de6f88a c6a0915127
- NULL deref - 3422638b2a
- infinite/deep recursion - d2578bd661
- OOB read - 26a5817ffe + 9706e28657

I'm not yet sure about these:

2fe825deac Prevents use of random value for PDF object that is not of
numeric type as expected.  This patch, however, does not seem to guard
against invalid numeric values, so if some random value used due to an
incorrect object type can cause crash later, I'd expect malicious
numeric value to be able to achieve the same.

dfdf3602bd Similar to the previous, commit message here does not
explicitly mention this addresses any crash.

a2dab0238a Commit message does not indicate this is should address any
crash.  getPos seems mostly used for error reporting.

Does anyone have any different findings?

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.