libpoppler0c2: source taken from xpdf may introduce heap-overflow vulnerabilities

Automatically imported from Debian bug report #342288 http://bugs.debian.org/342288

Message-Id: <email address hidden>
Date: Wed, 07 Dec 2005 06:42:55 +1100
From: Paul Szabo <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: xpdf-reader: security issues by iDefense

Package: xpdf-reader
Version: 3.00-13
Severity: critical
Justification: causes serious data loss

Arbitrary code execution (with privileges as user of package) issues
reported by iDefense:

  Multiple Vendor xpdf DCTStream Baseline Heap Overflow Vulnerability
  Multiple Vendor xpdf DCTStream Progressive Heap Overflow
  Multiple Vendor xpdf StreamPredictor Heap Overflow Vulnerability
  Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability

  http://www.idefense.com/application/poi/display?id=342
  http://www.idefense.com/application/poi/display?id=343
  http://www.idefense.com/application/poi/display?id=344
  http://www.idefense.com/application/poi/display?id=345

(Debian, both woody and sarge, is specifically mentioned as vulnerable.)
Reported also on public mailing lists, see
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/
http://www.securityfocus.com/archive/1

Upstream/vendor patches are apparently available.

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages xpdf-reader depends on:
ii gsfonts 8.14+v8.11+urw-0.2 Fonts for the Ghostscript interpre
ii lesstif2 1:0.93.94-11.4 OSF/Motif 2.1 implementation relea
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.4 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-13 GCC support library
ii libice6 4.3.0.dfsg.1-14sarge1 Inter-Client Exchange library
ii libpaper1 1.1.14-3 Library for handling paper charact
ii libsm6 4.3.0.dfsg.1-14sarge1 X Window System Session Management
ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3
ii libt1-5 5.0.2-3 Type 1 font rasterizer library - r
ii libx11-6 4.3.0.dfsg.1-14sarge1 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-14sarge1 X Window System miscellaneous exte
ii libxp6 4.3.0.dfsg.1-14sarge1 X Window System printing extension
ii libxpm4 4.3.0.dfsg.1-14sarge1 X pixmap library
ii libxt6 4.3.0.dfsg.1-14sarge1 X Toolkit Intrinsics
ii xlibs 4.3.0.dfsg.1-14sarge1 X Keyboard Extension (XKB) configu
ii xpdf-common 3.00-13 Portable Document Format (PDF) sui
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime

-- no debconf information

Message-Id: <email address hidden>
Date: Tue, 6 Dec 2005 12:07:45 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: severity of 342281 is grave

# Automatically generated email from bts, devscripts version 2.9.9
severity 342281 grave

Message-Id: <1133902712.3816.11.camel@localhost>
Date: Tue, 06 Dec 2005 21:58:32 +0100
From: Daniel Leidert <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: gpdf, kpdf and poppler could be affected too

clone 342281 -1 -2 -3
reassign -1 gpdf
retitle -1 gpdf: source taken from xpdf may introduce heap-overflow vulnerabilities
reassign -2 kpdf
retitle -2 kpdf: source taken from xpdf may introduce heap-overflow vulnerabilities
reassign -3 libpoppler0c2
retitle -3 libpoppler0c2: source taken from xpdf may introduce heap-overflow vulnerabilities
stop

Following the news at heise.de
(http://www.heise.de/security/news/meldung/67056) the packages kpdf,
gpdf and the poppler library could be or are affected too. Please test,
if this is true.

Regards, Daniel

Message-ID: <email address hidden>
Date: Tue, 6 Dec 2005 23:07:40 +0100
From: Moritz Muehlenhoff <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: poppler confirmed vulnerable to latest xpdf issues

tags 342288 security
thanks

Hi,
I can confirm that poppler is vulnerable to all the latest xpdf vulnerabilities,
please mention the CVE mappings from the iDefense advisories in the changelog
when fixing this.

Cheers,
        Moritz

Message-ID: <email address hidden>
Date: Thu, 8 Dec 2005 12:21:57 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

--Dzs2zDY0zgkG72+7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

I'm currently preparing Ubuntu security updates for these issues, and
I noticed that the upstream provided patch is wrong. I sent the mail
below to upstream (and some others).

Can you please check that you indeed fixed (tetex-bin)/will fix
(poppler) DCTStream::readProgressiveSOF(), too?

Thanks,

Martin

----- Forwarded message from Martin Pitt <email address hidden> -----

=46rom: Martin Pitt <email address hidden>
To: <email address hidden>, <email address hidden>, Dirk Mueller <email address hidden>
Subject: Re: [vendor-sec] xpdf update - patch wrong?
Mail-Followup-To: <email address hidden>, <email address hidden>,
 Dirk Mueller <email address hidden>
Date: Thu, 8 Dec 2005 11:20:37 +0100
X-Spam-Status: No, score=3D1.0 required=3D4.0 tests=3DAWL,BAYES_50,
 RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS_WEB autolearn=3Dno version=3D3.0.3

Hi Derek, hi Dirk, hi Vendor-Sec!

Josh Bressers [2005-12-06 13:50 -0500]:
> In the event any of you missed this:
>=20
> http://www.idefense.com/application/poi/display?id=3D342&type=3Dvulnerabi=
lities
> http://www.idefense.com/application/poi/display?id=3D343&type=3Dvulnerabi=
lities

It seems that the patch linked from these advisories [1] is a little
bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
but does not check it in DCTStream::readProgressiveSOF().

It *seems* that KDE spotted and removed the double check in their
kdegraphics patch [2], but unless they removed
DCTStream::readProgressiveSOF() (which could very well be, I didn't
check yet), these patches now have the same flaw.

Thanks,

Martin

[1] ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.01pl1.patch
[2] ftp://ftp.kde.org/pub/kde/security_patches/post-3.4.3-kdegraphics-CAN-2=
005-3193.diff

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

----- End forwarded message -----

--Dzs2zDY0zgkG72+7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDmBdVDecnbV4Fd/IRArJnAJ9lVGh7ZCQ3loxC7+uKfzBnMfuqVQCgt5KY
PNLCquUaYwRRfhC9QWYKbg4=
=JqTt
-----END PGP SIGNATURE-----

--Dzs2zDY0zgkG72+7--

Message-ID: <email address hidden>
Date: Mon, 12 Dec 2005 11:03:02 +0100
From: Martin Pitt <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Ubuntu security patch

--A6N2fC+uXW/VQSAv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tag 342288 patch
thanks

Hi!

We found more flaws in upstream's xpdf patch, it checked
multiplication overflows *after* the overflow occured, which is not
valid.

The current patch

  http://patches.ubuntu.com/patches/poppler.CVE-2005-3191_2_3.diff

checks multiplication overflows properly and also adds the two
missing numComps checks that are missing in xpdf upstream's patch.

Thanks,

Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

--A6N2fC+uXW/VQSAv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDnUrWDecnbV4Fd/IRAhmDAKDPWXShZVzIpoL7XeFhmfAviMH35wCgse9H
zq9Q4slfHUmuRr/GfUA2liM=
=i2Iv
-----END PGP SIGNATURE-----

--A6N2fC+uXW/VQSAv--

fixed in USN-227-1, dapper was fixed as well.

Message-ID: <email address hidden>
Date: Fri, 23 Dec 2005 16:50:21 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: <email address hidden>
Subject: NMU for this bug

--=-=-=
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,=20

since this bug has been open for quite a while, I'm currently preparing
an NMU for this bug, using the attached patch. I'm going to upload it
without a delay.

Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

--=-=-=
Content-Type: text/x-patch; charset=iso-8859-1
Content-Disposition: inline; filename=poppler.NMU
Content-Transfer-Encoding: quoted-printable

diff -Nur poppler-0.4.2/debian/changelog poppler-0.4.2.new/debian/changelog
--- poppler-0.4.2/debian/changelog 2005-12-23 16:48:41.997756352 +0100
+++ poppler-0.4.2.new/debian/changelog 2005-12-23 16:48:21.697842408 +0100
@@ -1,3 +1,26 @@
+poppler (0.4.2-1.1) unstable; urgency=3Dhigh
+
+ * SECURITY UPDATE: Multiple integer/buffer overflows.
+
+ * NMU to fix RC security bug (closes: #342288)
+ * Add debian/patches/04_CVE-2005-3191_2_3.patch taken from Ubuntu,
+ thanks to Martin Pitt:
+ * poppler/Stream.cc, DCTStream::readBaselineSOF(),
+ DCTStream::readProgressiveSOF(), DCTStream::readScanInfo():
+ - Check numComps for invalid values.
+ - http://www.idefense.com/application/poi/display?id=3D342&type=3Dvuln=
erabilities
+ - CVE-2005-3191
+ * poppler/Stream.cc, StreamPredictor::StreamPredictor():
+ - Check rowBytes for invalid values.
+ - http://www.idefense.com/application/poi/display?id=3D344&type=3Dvuln=
erabilities
+ - CVE-2005-3192
+ * poppler/JPXStream.cc, JPXStream::readCodestream():
+ - Check img.nXTiles * img.nYTiles for integer overflow.
+ - http://www.idefense.com/application/poi/display?id=3D345&type=3Dvul=
nerabilities
+ - CVE-2005-3193
+
+ -- Frank K=FCster <email address hidden> Fri, 23 Dec 2005 16:36:30 +0100
+
 poppler (0.4.2-1) unstable; urgency=3Dlow
=20
   * GNOME Team upload.
diff -Nur poppler-0.4.2/debian/patches/04_CVE-2005-3191_2_3.patch poppler-0=
.4.2.new/debian/patches/04_CVE-2005-3191_2_3.patch
--- poppler-0.4.2/debian/patches/04_CVE-2005-3191_2_3.patch 1970-01-01 01:0=
0:00.000000000 +0100
+++ poppler-0.4.2.new/debian/patches/04_CVE-2005-3191_2_3.patch 2005-12-23 =
16:15:37.000000000 +0100
@@ -0,0 +1,156 @@
+diff -Nur poppler-0.4.2/poppler/JPXStream.cc poppler-0.4.2.new/poppler/JPX=
Stream.cc
+--- poppler-0.4.2/poppler/JPXStream.cc 2005-03-03 20:46:03.000000000 +0100
++++ poppler-0.4.2.new/poppler/JPXStream.cc 2005-12-09 17:41:42.000000000 +=
0100
+@@ -7,6 +7,7 @@
+ //=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+=20
+ #include <config.h>
++#include <limits.h>
+=20
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -666,7 +667,7 @@
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+- Guint segLen, capabilities, comp, i, j, r;
++ Guint segLen, capabilities, nT...

Message-Id: <email address hidden>
Date: Sat, 24 Dec 2005 01:32:07 -0800
From: =?utf-8?q?Frank_K=C3=BCster?= <email address hidden>
To: <email address hidden>
Cc: =?utf-8?q?Frank_K=C3=BCster?= <email address hidden>, Changwoo Ryu <email address hidden>
Subject: Fixed in NMU of poppler 0.4.2-1.1

tag 342288 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 23 Dec 2005 16:36:30 +0100
Source: poppler
Binary: libpoppler-glib-dev libpoppler0c2-qt libpoppler-qt-dev libpoppler-dev libpoppler0c2-glib libpoppler0c2
Architecture: source i386
Version: 0.4.2-1.1
Distribution: unstable
Urgency: high
Maintainer: Changwoo Ryu <email address hidden>
Changed-By: Frank Küster <email address hidden>
Description:
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-qt-dev - PDF rendering library -- development files (Qt interface)
 libpoppler0c2 - PDF rendering library
 libpoppler0c2-glib - PDF rendering library (GLib-based shared library)
 libpoppler0c2-qt - PDF rendering library (Qt-based shared library)
Closes: 342288
Changes:
 poppler (0.4.2-1.1) unstable; urgency=high
 .
   * SECURITY UPDATE: Multiple integer/buffer overflows.
 .
   * NMU to fix RC security bug (closes: #342288)
   * Add debian/patches/04_CVE-2005-3191_2_3.patch taken from Ubuntu,
     thanks to Martin Pitt:
   * poppler/Stream.cc, DCTStream::readBaselineSOF(),
     DCTStream::readProgressiveSOF(), DCTStream::readScanInfo():
     - Check numComps for invalid values.
     - http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities
     - CVE-2005-3191
   * poppler/Stream.cc, StreamPredictor::StreamPredictor():
     - Check rowBytes for invalid values.
     - http://www.idefense.com/application/poi/display?id=344&type=vulnerabilities
     - CVE-2005-3192
    * poppler/JPXStream.cc, JPXStream::readCodestream():
      - Check img.nXTiles * img.nYTiles for integer overflow.
      - http://www.idefense.com/application/poi/display?id=345&type=vulnerabilities
      - CVE-2005-3193
Files:
 fa5985bf510c5dc3793156b056cc78a4 1750 devel optional poppler_0.4.2-1.1.dsc
 384879819f5e5dca860ddb639729bc86 5859 devel optional poppler_0.4.2-1.1.diff.gz
 0247cf16c73b8b62ef757d96daf30897 432912 libs optional libpoppler0c2_0.4.2-1.1_i386.deb
 beaa0aa70ca97108c1b997c1cb14cd79 578472 libdevel optional libpoppler-dev_0.4.2-1.1_i386.deb
 78fc2dcc40d9e3c35a75248dcdac06f3 38076 libs optional libpoppler0c2-glib_0.4.2-1.1_i386.deb
 c5234e6480d01d1598de712269db17d8 41794 libdevel optional libpoppler-glib-dev_0.4.2-1.1_i386.deb
 a1c780d7a092ae6c0981c3d6ae670d60 26566 libs optional libpoppler0c2-qt_0.4.2-1.1_i386.deb
 48fafdd9dea81ca896648aa27dc57539 27540 libdevel optional libpoppler-qt-dev_0.4.2-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDrB+T+xs9YyJS+hoRAkGeAKCGNO5wdGYnEkfuL1m1R5jwVgpeyACgjjbu
pxGJG86s2jzHK+Gk5h/6WcM=
=sW6p
-----END PGP SIGNATURE-----

Message-Id: <email address hidden>
Date: Fri, 30 Dec 2005 09:37:56 -0800
From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <email address hidden>
To: <email address hidden>
Subject: Bug#342288: fixed in poppler 0.4.3-1

Source: poppler
Source-Version: 0.4.3-1

We believe that the bug you reported is fixed in the latest version of
poppler, which is due to be installed in the Debian FTP archive:

libpoppler-dev_0.4.3-1_i386.deb
  to pool/main/p/poppler/libpoppler-dev_0.4.3-1_i386.deb
libpoppler-glib-dev_0.4.3-1_i386.deb
  to pool/main/p/poppler/libpoppler-glib-dev_0.4.3-1_i386.deb
libpoppler-qt-dev_0.4.3-1_i386.deb
  to pool/main/p/poppler/libpoppler-qt-dev_0.4.3-1_i386.deb
libpoppler0c2-glib_0.4.3-1_i386.deb
  to pool/main/p/poppler/libpoppler0c2-glib_0.4.3-1_i386.deb
libpoppler0c2-qt_0.4.3-1_i386.deb
  to pool/main/p/poppler/libpoppler0c2-qt_0.4.3-1_i386.deb
libpoppler0c2_0.4.3-1_i386.deb
  to pool/main/p/poppler/libpoppler0c2_0.4.3-1_i386.deb
poppler-utils_0.4.3-1_i386.deb
  to pool/main/p/poppler/poppler-utils_0.4.3-1_i386.deb
poppler_0.4.3-1.diff.gz
  to pool/main/p/poppler/poppler_0.4.3-1.diff.gz
poppler_0.4.3-1.dsc
  to pool/main/p/poppler/poppler_0.4.3-1.dsc
poppler_0.4.3.orig.tar.gz
  to pool/main/p/poppler/poppler_0.4.3.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <email address hidden> (supplier of updated poppler package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 30 Dec 2005 11:34:07 +0100
Source: poppler
Binary: libpoppler-glib-dev poppler-utils libpoppler0c2-qt libpoppler-qt-dev libpoppler-dev libpoppler0c2-glib libpoppler0c2
Architecture: source i386
Version: 0.4.3-1
Distribution: unstable
Urgency: high
Maintainer: Ondřej Surý <email address hidden>
Changed-By: Ondřej Surý <email address hidden>
Description:
 libpoppler-dev - PDF rendering library -- development files
 libpoppler-glib-dev - PDF rendering library -- development files (GLib interface)
 libpoppler-qt-dev - PDF rendering library -- development files (Qt interface)
 libpoppler0c2 - PDF rendering library
 libpoppler0c2-glib - PDF rendering library (GLib-based shared library)
 libpoppler0c2-qt - PDF rendering library (Qt-based shared library)
 poppler-utils - PDF utilitites (based on libpoppler)
Closes: 314556 322964 328211 330544 342288 344738
Changes:
 poppler (0.4.3-1) unstable; urgency=high
 .
   * New upstream release.
   * New maintainer (Closes: #344738)
   * CVE-2005-3191 and CAN-2005-2097 fixes merged upstream.
   * Fixed some rendering bugs and disabled Cairo output
     (Closes: #314556, #322964, #328211)
   * Acknowledge NMU (Closes: #342288)
   * Add 001-selection-crash-bug.patch (Closes: #330544)
   * Add poppler-utils (merge patch from Ubuntu)
Files:
...