Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [month] [year] [list] 
Date: Wed, 21 Oct 2009 17:25:47 -0500
From: Will Drewry <redpig@...rt.org>
To: ocert-announce@...ts.ocert.org, bugtraq <bugtraq@...urityfocus.com>, 
	oss-security@...ts.openwall.com
Subject: [oCERT-2009-016] Poppler, xpdf integer overflow during heap 
	allocation

#2009-016 Poppler, Xpdf integer overflows during heap allocation

Description:

Poppler and Xpdf are two popular open source projects for processing PDF
files.  Both projects are vulnerable to an integer overflow during heap
memory allocation when processing a PDF file.  In general, this results
in unexpected process termination.  If an application using this code is
multi-threaded (or uses a crash signal handler), it may be possible to
execute arbitrary code.

The vulnerability resides in the object stream handler.  In particular,
a multiplicative overflow occurs when a large number of embedded objects
are specified.  An overflow check was in place in the code, but it only
protected related calls to gmalloc().  The C++ object array allocation
code (new[]) is not guarded by the upper bound check and the call to
new[] does not result in an exception with gcc.  This results in bytes
being written after the valid heap allocation during object
construction.

Both software packages have released fixed versions which limit the allowed
object count to a domain specific value.

A detailed analysis by the reporter can be found in the References.


Affected version:

Poppler < 0.12.1

Xpdf < 3.02pl4


Fixed version:

Poppler >= 0.12.1

Xpdf >= 3.02pl4


Credit: vulnerability report and PoC received from
        Chris Rohlf <chris.rohlf@...il.com>.


CVE: CVE-2009-3608


Timeline:

2009-09-04: vulnerability report received
2009-09-17: proof of concept received from reporter
2009-09-21: impact reviewed
2009-09-29: contacted poppler maintainer
2009-09-29: vendor-sec notified
2009-09-30: vendor-sec discussion expanded to include xpdf maintainer
2009-10-02: final fix agreed upon by both maintainers
2009-10-12: CVE assigned by Tomas Hoger of RedHat
2009-10-14: fixed Xpdf released
2009-10-18: fixed Poppler released
2009-10-21: advisory published


References:
http://poppler.freedesktop.org/
http://www.foolabs.com/xpdf/CHANGES
http://chargen.matasano.com/chargen/2009/10/9/a-c-challenge.html
http://chargen.matasano.com/chargen/2009/10/15/a-c-challenge-the-conclusion.html
http://sites.google.com/site/em386cr/Home/CVE-2009-3608-explained.txt
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351


Permalink:
http://www.ocert.org/advisories/ocert-2009-016.html

--
Will Drewry <redpig@...rt.org>
http://ocert.org

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ