Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE request: xpdf
From: Thomas Biege <thomas () suse de>
Date: Tue, 8 Feb 2011 12:15:41 +0100

Am Dienstag 08 Februar 2011 11:54:16 schrieb Thomas Biege:

Should CVE-IDs be assigned to this issues?

Sorry, I missed Josh'd mail.

Am Freitag 21 Januar 2011 00:15:49 schrieb Dan Rosenberg:
I identified two issues in xpdf.  I don't think the first requires a
CVE, since it's incredibly unlikely to be exploitable, but I include
it here in case someone disagrees.

1. Due to an integer overflow when parsing CharCodes for fonts and a
failure to check the return value of a memory allocation, it is
possible to trigger writes to a narrow range of offsets from a NULL
pointer.  The chance of being able to exploit this for anything other
than a crash is very remote: on x86 32-bit, there's no chance (since
the write occurs between 0xffffffc4 and 0xfffffffc).  At least the
write lands in valid userspace on x86-64, but in my testing this
memory is never mapped.  Fixed in poppler commit at [1], hopefully
fixed soon at xpdf upstream.

2. Malformed commands may cause corruption of the internal stack used
to maintain graphics contexts, leading to potentially exploitable
memory corruption.  Fixed in poppler commit at [2], hopefully fixed
soon at xpdf upstream.


[1] http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659
[2] http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9

 Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]