Re: CVE Request: poppler 0.22.1 security fixes

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/27/2013 06:24 AM, Marcus Meissner wrote:
> Hi,
>
> poppler 0.22.1 was released without much ado, it however contains
> various security fixes.
>
> The security fixes apparently come from AdressSanitizer work and
> fuzzing provided by the Google Security Team.
>
> The page: http://j00ru.vexillium.org/?p=1507
>
> explains most of it, and while it focuses on Adobe Acrobat Reader,
> they also covered poppler testing inside.

Ok so these issues were found and processed by a team of people at
Google (gratzi!) and Red Hat (booyah!) so for the purposes of CVE I'm
considering the team to be a single team (which makes CVE assignment
much easier =).

> So far I see: 
> http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492
Fix invalid memory access in 1150.pdf.asan.8.69
> http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=e14b6e9c13d35c9bd1e0c50906ace8e707816888
Fix invalid memory access in 2030.pdf.asan.69.463
> http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=0388837f01bc467045164f9ddaff787000a8caaa
Fix another invalid memory access in 1091.pdf.asan.72.42
> http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=957aa252912cde85d76c41e9710b33425a82b696
Fix invalid memory accesses in 1091.pdf.asan.72.42
> http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=bbc2d8918fe234b7ef2c480eb148943922cc0959
Fix invalid memory accesses in 1036.pdf.asan.23.17

Please use CVE-2013-1788 for these invalid memory issues.

> http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=a9b8ab4657dec65b8b86c225d12c533ad7e984e2
Fix crash in broken file 1031.pdf.asan.48.15
> http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=a205e71a2dbe0c8d4f4905a76a3f79ec522eacec
Do not crash in broken documents like 1007.pdf.asan.48.4

Please use CVE-2013-1788 for these crash issues.


> http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=b1026b5978c385328f2a15a2185c599a563edf91
Initialize refLine totally
> Fixes uninitialized memory read in 1004.pdf.asan.7.3

Please use CVE-2013-1790 for this uninitialized memory read issue.

> As the blog page mentions "Huzaifa Sidhpurwala from RedHat
> Security", perhaps Redhat has assigned CVEs already.

Nope, although hopefully in future we'll coordinate CVEs better before
hand.

> Otherwise one ore more CVEs are required.

Yup.

> Ciao, Marcus


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRLtF8AAoJEBYNRVNeJnmTh/YP/jmwGLJ0IS8rTTmRhRXw8yYX
McSfWbdn4WJO3zeELgpmUJue0qfsFF66iXKUoVRfvpvoT5EtDWPp02Wubkd26Z77
DCsWJ2AYwvbwZNfnrAbP/sSnNu7W1HEQUIEcsLuoffbw9ZONMuWF1EOgZ6JZKvsB
cHQjg1fzXXqPGaNSU5QEkIhVzZrEm8vAhHai0sEgKDYGGIjX4QKefiYdrzKCnCZa
yV9qUb7knv9qqNB0iyE625cmqaoskdjdyaqDNFjSDzpeYKB9I/iQYvvD4dyw/dhM
JIx1MwfZXX9C69KXxCLrQuwgSXgi/HmuDdIdnuoTdZIsk9UO5jzkIkWOIbVsc1Eo
C7SWxmBvS7DoHgH7jLpo7BlxmuDRupbdeOxLPfyJzu/bdYaeeusCOGRcaMXVB0/C
H/inAQVn5m1cAR1YEp76ZpqG9E/VMHcdC3cO+KDDMitPeMY5LVSN/IRPgCGDf/hB
MZyToi0YrFg5t4U7M/2CKhumK7ivwjPg7kKnWSwBsYt6ECsSknRAsWqEuMVc1PmK
E31or9K4qe/f4igQ0Xm7r5/sZhB3oTVHvGb7+yTIGUaWJXEGRazFVPxk7lryUroY
SNrSXFkKyCRO6nNvp+De0+xL/fyQfq0NZIK671gbR9i24GXLhIgO75v1GQFrbhJ6
2nWKQJCoJhxRF3mn/3et
=MQpu
-----END PGP SIGNATURE-----