Bug 141242 - VUL-0: kpdf (and xpdf) crash
Summary: VUL-0: kpdf (and xpdf) crash
Status: RESOLVED FIXED
Alias: None
Product: SUSE Linux 10.1
Classification: openSUSE
Component: KDE (show other bugs)
Version: Alpha 4
Hardware: Other Other
: P5 - None : Critical (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard: patchinfos submitted
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-03 15:44 UTC by Matthias Hopf
Modified: 2006-02-09 16:33 UTC (History)
6 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
PDF that crashes (4.66 MB, application/pdf)
2006-01-03 15:45 UTC, Matthias Hopf 		Details
the patch (2.01 KB, patch)
2006-01-04 22:45 UTC, Dirk Mueller 		Details | Diff
better patch, trying to get that one upstream (1.35 KB, patch)
2006-01-26 16:01 UTC, Dirk Mueller 		Details | Diff
the official patch (1.64 KB, patch)
2006-02-02 23:15 UTC, Dirk Mueller 		Details | Diff
backport to xpdf 3.00 (1.70 KB, patch)
2006-02-03 09:56 UTC, Ludwig Nussel 		Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Hopf 2006-01-03 15:44:03 UTC 
Both kpdf and xpdf crash on this pdf file, xpdf during display of page 12, kpdf after several seconds (assuming due to thumbnail generation). This also happens on SL10.0.

Acroread displays it well, ghostscript does not crash either (but has difficulties with the page size).
Comment 1 Matthias Hopf 2006-01-03 15:45:09 UTC 
Created attachment 61896 [details]
PDF that crashes
Comment 2 Matthias Hopf 2006-01-03 15:47:30 UTC 
Crash output of xpdf:

Error: Bad bounding box in Type 3 glyph
*** glibc detected *** free(): invalid pointer: 0x08328748 ***
Aborted


Crash output of kdf (the QSocketNotifier is missing sometimes):

*** glibc detected *** free(): invalid next size (normal): 0x083464b8 ***
QSocketNotifier: invalid socket 9 and type 'Read', disabling...
Alarm clock


Looks like memory corruption.
Comment 3 Dirk Mueller 2006-01-04 17:58:36 UTC 
xpdf affected as well..
Comment 4 Dirk Mueller 2006-01-04 22:44:43 UTC 
ok, it writes 4 bytes before the heap. this was an insanely painful one to find, because valgrind or libefence or anything else didn't help.
Comment 5 Dirk Mueller 2006-01-04 22:45:26 UTC 
Created attachment 61991 [details]
the patch

I'm not sure if it doesn't break anything, but it fixes the overflow.
Comment 6 Dirk Mueller 2006-01-05 09:18:47 UTC 
while talking to upstream poppler maintainers about how to fix this one properly, the example pdf and patch leaked to the poppler mailing list. so its public now. sorry. doesn't matter much because there are endless variants of this bug, it seems to never ever check for wrong values of coordinates when rendering.
Comment 7 Matthias Hopf 2006-01-05 10:34:11 UTC 
This is perfectly all right (this bug is public anyway, and the document can be fetched freely from http://www.marantz.com/pdfs/g_sr7500_man.pdf).

Having no checks for wrong coordinates is very bad indeed. I'm waiting for the first exploits.
Comment 8 Dirk Mueller 2006-01-26 16:01:14 UTC 
Created attachment 65255 [details]
better patch, trying to get that one upstream
Comment 9 Dirk Mueller 2006-01-27 13:14:55 UTC 
CVE-2006-0301
Comment 10 Ludwig Nussel 2006-02-01 08:24:52 UTC 
public now
Comment 11 Dirk Mueller 2006-02-02 23:14:36 UTC 
updates for kdegraphics3 submitted (stable 10.0 9.3). Only KDE >= 3.4.0 is affected. 

all xpdf >= 3.0 is affected. please deal with xpdf, gpdf, poppler etc..
Comment 12 Dirk Mueller 2006-02-02 23:15:46 UTC 
Created attachment 66287 [details]
the official patch
Comment 13 Ruediger Oertel 2006-02-03 00:35:30 UTC 
patchinfo file for kdegraphics3 (9.3/10.0) please
Comment 14 Ludwig Nussel 2006-02-03 09:56:50 UTC 
Created attachment 66312 [details]
backport to xpdf 3.00
Comment 15 Ludwig Nussel 2006-02-03 10:37:27 UTC 
so the one who have xpdf 2.0 in their package are lucky this time.
Comment 16 Karl Eichwalder 2006-02-03 10:42:35 UTC 
libextractor is based on 2.0.
Comment 17 Klaus Singvogel 2006-02-03 11:13:14 UTC 
cups contains xpdf-2.01 (and older CUPS versions older xpdf versions)
Comment 18 Lars Vogdt 2006-02-03 11:15:08 UTC 
pdftohtml is based on 2.02
Comment 19 Ludwig Nussel 2006-02-03 15:31:13 UTC 
Maintenance-Tracker-3467
Comment 20 Ludwig Nussel 2006-02-06 12:54:42 UTC 
kpdf released, we still need xpdf, gpdf and poppler updates
Comment 21 Dirk Mueller 2006-02-06 16:34:55 UTC 
KDE 3.3.x is also affected, I first didn't notice because the source tree was restructured inbetween.

submitted kdegraphics3 update for 9.2, please also do an update for that. Sorry for the messup.
Comment 22 Stanislav Brabec 2006-02-07 14:46:13 UTC 
Working on gpdf and poppler.
Comment 23 Stanislav Brabec 2006-02-07 15:25:39 UTC 
Fixed:
poppler: 10.0, STABLE, PLUS
gpdf: 9.3, 10.0, STABLE, PLUS
xpdf: 9.1, 9.2, 9.3, 10.0, STABLE

Not affected:
gpdf: 9.2 and older
xpdf: 9.0 and older
Comment 24 Ludwig Nussel 2006-02-07 15:44:52 UTC 
thanks
Comment 25 Ludwig Nussel 2006-02-09 16:33:50 UTC 
all updates released