|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: kpdf (and xpdf) crash | ||
|---|---|---|---|
| Product: | [openSUSE] SUSE Linux 10.1 | Reporter: | Matthias Hopf <mhopf> |
| Component: | KDE | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Critical | ||
| Priority: | P5 - None | CC: | dmueller, gnome-bugs, lars.vogdt, nadvornik, sbrabec, security-team |
| Version: | Alpha 4 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | patchinfos submitted | ||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
PDF that crashes
the patch better patch, trying to get that one upstream the official patch backport to xpdf 3.00 |
||
|
Description
Matthias Hopf
2006-01-03 15:44:03 UTC
Created attachment 61896 [details]
PDF that crashes
Crash output of xpdf: Error: Bad bounding box in Type 3 glyph *** glibc detected *** free(): invalid pointer: 0x08328748 *** Aborted Crash output of kdf (the QSocketNotifier is missing sometimes): *** glibc detected *** free(): invalid next size (normal): 0x083464b8 *** QSocketNotifier: invalid socket 9 and type 'Read', disabling... Alarm clock Looks like memory corruption. xpdf affected as well.. ok, it writes 4 bytes before the heap. this was an insanely painful one to find, because valgrind or libefence or anything else didn't help. Created attachment 61991 [details]
the patch
I'm not sure if it doesn't break anything, but it fixes the overflow.
while talking to upstream poppler maintainers about how to fix this one properly, the example pdf and patch leaked to the poppler mailing list. so its public now. sorry. doesn't matter much because there are endless variants of this bug, it seems to never ever check for wrong values of coordinates when rendering. This is perfectly all right (this bug is public anyway, and the document can be fetched freely from http://www.marantz.com/pdfs/g_sr7500_man.pdf). Having no checks for wrong coordinates is very bad indeed. I'm waiting for the first exploits. Created attachment 65255 [details]
better patch, trying to get that one upstream
CVE-2006-0301 public now updates for kdegraphics3 submitted (stable 10.0 9.3). Only KDE >= 3.4.0 is affected. all xpdf >= 3.0 is affected. please deal with xpdf, gpdf, poppler etc.. Created attachment 66287 [details]
the official patch
patchinfo file for kdegraphics3 (9.3/10.0) please Created attachment 66312 [details]
backport to xpdf 3.00
so the one who have xpdf 2.0 in their package are lucky this time. libextractor is based on 2.0. cups contains xpdf-2.01 (and older CUPS versions older xpdf versions) pdftohtml is based on 2.02 Maintenance-Tracker-3467 kpdf released, we still need xpdf, gpdf and poppler updates KDE 3.3.x is also affected, I first didn't notice because the source tree was restructured inbetween. submitted kdegraphics3 update for 9.2, please also do an update for that. Sorry for the messup. Working on gpdf and poppler. Fixed: poppler: 10.0, STABLE, PLUS gpdf: 9.3, 10.0, STABLE, PLUS xpdf: 9.1, 9.2, 9.3, 10.0, STABLE Not affected: gpdf: 9.2 and older xpdf: 9.0 and older thanks all updates released |