Date: Fri, 1 Oct 2010 15:16:48 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: CVE requests: Poppler, Quassel, Pyfribidi, Overkill, DocUtils, FireGPG, Wireshark On Wed, 29 Sep 2010 15:06:31 -0400 (EDT) Josh Bressers wrote: > > 1. Poppler (might also affect xpdf and kpdf due to code heritage, > > not determined yet) > > http://secunia.com/advisories/41596/ > > -> Links to poppler git commits are given in the Secunia link > > This needs to be properly understood. I'm not assigning IDs until > someone does a proper triage. e853106b58 is uninitialized pointer use flaw. Pointer value may be controlled by PDF content, hence if pointed to attacker-controlled memory, code execution may be possible via virtual method call. This should date back to very old xpdf versions. bf2055088a seems similar to the above one. Pointer is to the class that has not virtual methods, but may be used to corrupt memory. This should only affect poppler versions after b1d4efb082. 39d140bfc0 array indexing error / underflow. On platforms where atoi can return negative result, this can allow out-of-array-bounds write. Code appears in old xpdf versions too. There are few that don't seem worth calling security: - memory leaks - 473de6f88a c6a0915127 - NULL deref - 3422638b2a - infinite/deep recursion - d2578bd661 - OOB read - 26a5817ffe + 9706e28657 I'm not yet sure about these: 2fe825deac Prevents use of random value for PDF object that is not of numeric type as expected. This patch, however, does not seem to guard against invalid numeric values, so if some random value used due to an incorrect object type can cause crash later, I'd expect malicious numeric value to be able to achieve the same. dfdf3602bd Similar to the previous, commit message here does not explicitly mention this addresses any crash. a2dab0238a Commit message does not indicate this is should address any crash. getPos seems mostly used for error reporting. Does anyone have any different findings? -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.