Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <AANLkTimFDaP1ZDrpfkMtRpYSFmdi7tMNP00R0ZXADQE9@mail.gmail.com>
Date: Thu, 20 Jan 2011 18:15:49 -0500
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: xpdf

I identified two issues in xpdf.  I don't think the first requires a
CVE, since it's incredibly unlikely to be exploitable, but I include
it here in case someone disagrees.

1. Due to an integer overflow when parsing CharCodes for fonts and a
failure to check the return value of a memory allocation, it is
possible to trigger writes to a narrow range of offsets from a NULL
pointer.  The chance of being able to exploit this for anything other
than a crash is very remote: on x86 32-bit, there's no chance (since
the write occurs between 0xffffffc4 and 0xfffffffc).  At least the
write lands in valid userspace on x86-64, but in my testing this
memory is never mapped.  Fixed in poppler commit at [1], hopefully
fixed soon at xpdf upstream.

2. Malformed commands may cause corruption of the internal stack used
to maintain graphics contexts, leading to potentially exploitable
memory corruption.  Fixed in poppler commit at [2], hopefully fixed
soon at xpdf upstream.

-Dan

[1] http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659
[2] http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.