Frank K=FCster [2005-12-08 13:17 +0100]:
> Martin Pitt <email address hidden> wrote:
>=20
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream::readProgressiveSOF(), too?
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(),
> > but does not check it in DCTStream::readProgressiveSOF().
>=20
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at=20
>=20
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch=
-CVE-2005-3191+2+3?op=3Dfile&rev=3D0&sc=3D0
>=20
> I'm completely illerate in C++, and would like to make sure this is
> correct. =20
Bad news. A further review of Streams.cc revealed a third place where
numComps goes unchecked (I checked the whole file now, it's really the
last one). So you additionally need this hunk:
Message-ID: <email address hidden> 1?Q?K=FCster? = <email address hidden>
Date: Fri, 9 Dec 2005 10:19:51 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-
Cc: <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
--+jhVVhN62yS6hEJ8 Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Hi Frank!
Frank K=FCster [2005-12-08 13:17 +0100]: :readProgressiv eSOF(), too? :readBaselineSO F(), :readProgressiv eSOF(). svn.debian. org/wsvn/ pkg-tetex/ tetex-bin/ trunk/debian/ patches/ patch= 3191+2+ 3?op=3Dfile& rev=3D0& sc=3D0
> Martin Pitt <email address hidden> wrote:
>=20
> > Hi!
> >
> > I'm currently preparing Ubuntu security updates for these issues, and
> > I noticed that the upstream provided patch is wrong. I sent the mail
> > below to upstream (and some others).
> >
> > Can you please check that you indeed fixed (tetex-bin)/will fix
> > (poppler) DCTStream:
> [...]
> > It seems that the patch linked from these advisories [1] is a little
> > bit flawed: it checks numComps twice in DCTStream:
> > but does not check it in DCTStream:
>=20
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at=20
>=20
> http://
-CVE-2005-
>=20
> I'm completely illerate in C++, and would like to make sure this is
> correct. =20
Bad news. A further review of Streams.cc revealed a third place where
numComps goes unchecked (I checked the whole file now, it's really the
last one). So you additionally need this hunk:
@@ -2947,6 +2974,10 @@ GBool DCTStream: :readScanInfo( ) {
length =3D read16() - 2; numComps =3D str->getChar(); getPos( ), "Bad DCT scan info block");
scanInfo.
+ if (scanInfo.numComps <=3D 0 || scanInfo.numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
--length;
if (length !=3D 2 * scanInfo.numComps + 3) {
error(
Martin www.piware. de www.ubuntu. com www.debian. org
--=20
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In a world without walls and fences, who needs Windows and Gates?
--+jhVVhN62yS6hEJ8 pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
nbV4Fd/ IRAt7+AJ9pMDVGX 9iAVYm32Kth2vIa F1RLQgCdG7Fs A2Ye430U=
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDmUw3Dec
DWxut0KwwqiiFdt
=PtJ0
-----END PGP SIGNATURE-----
--+jhVVhN62yS6h EJ8--