oss-sec mailing list archives
Re: CVE request: xpdf
From: Thomas Biege <thomas () suse de>
Date: Tue, 8 Feb 2011 11:54:16 +0100
Should CVE-IDs be assigned to this issues? Am Freitag 21 Januar 2011 00:15:49 schrieb Dan Rosenberg:
I identified two issues in xpdf. I don't think the first requires a CVE, since it's incredibly unlikely to be exploitable, but I include it here in case someone disagrees. 1. Due to an integer overflow when parsing CharCodes for fonts and a failure to check the return value of a memory allocation, it is possible to trigger writes to a narrow range of offsets from a NULL pointer. The chance of being able to exploit this for anything other than a crash is very remote: on x86 32-bit, there's no chance (since the write occurs between 0xffffffc4 and 0xfffffffc). At least the write lands in valid userspace on x86-64, but in my testing this memory is never mapped. Fixed in poppler commit at [1], hopefully fixed soon at xpdf upstream. 2. Malformed commands may cause corruption of the internal stack used to maintain graphics contexts, leading to potentially exploitable memory corruption. Fixed in poppler commit at [2], hopefully fixed soon at xpdf upstream. -Dan [1] http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659 [2] http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9
-- Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach
Current thread:
- CVE request: xpdf Dan Rosenberg (Jan 20)
- Re: CVE request: xpdf Josh Bressers (Jan 24)
- Re: CVE request: xpdf Michael Gilbert (Feb 01)
- Re: CVE request: xpdf Thomas Biege (Feb 08)
- Re: CVE request: xpdf Tomas Hoger (Feb 08)
- Re: CVE request: xpdf Thomas Biege (Feb 08)