Re: CVE request: xpdf

[Thomas Biege <thomas () suse de>]

Am Dienstag 08 Februar 2011 11:54:16 schrieb Thomas Biege:
> Should CVE-IDs be assigned to this issues?

Sorry, I missed Josh'd mail.

> Am Freitag 21 Januar 2011 00:15:49 schrieb Dan Rosenberg:
> > I identified two issues in xpdf.  I don't think the first requires a
> > CVE, since it's incredibly unlikely to be exploitable, but I include
> > it here in case someone disagrees.
> >
> > 1. Due to an integer overflow when parsing CharCodes for fonts and a
> > failure to check the return value of a memory allocation, it is
> > possible to trigger writes to a narrow range of offsets from a NULL
> > pointer.  The chance of being able to exploit this for anything other
> > than a crash is very remote: on x86 32-bit, there's no chance (since
> > the write occurs between 0xffffffc4 and 0xfffffffc).  At least the
> > write lands in valid userspace on x86-64, but in my testing this
> > memory is never mapped.  Fixed in poppler commit at [1], hopefully
> > fixed soon at xpdf upstream.
> >
> > 2. Malformed commands may cause corruption of the internal stack used
> > to maintain graphics contexts, leading to potentially exploitable
> > memory corruption.  Fixed in poppler commit at [2], hopefully fixed
> > soon at xpdf upstream.
> >
> > -Dan
> >
> > [1] http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659
> > [2] http://cgit.freedesktop.org/poppler/poppler/commit/?id=8284008aa8230a92ba08d547864353d3290e9bf9

-- 
 Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach