what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Open Source CERT Security Advisory 2009.16

Open Source CERT Security Advisory 2009.16
Posted Oct 23, 2009
Authored by Will Drewry, Open Source CERT | Site ocert.org

Both the Poppler and Xpdf projects are vulnerable to an integer overflow during heap memory allocation when processing a PDF file. In general, this results in unexpected process termination. If an application using this code is multi-threaded (or uses a crash signal handler), it may be possible to execute arbitrary code. Poppler versions below 0.12.1 are affected. Xpdf versions below 3.02p14 are affected.

tags | advisory, overflow, arbitrary
advisories | CVE-2009-3608
SHA-256 | aafbc29fb69700ddfede45739b89f53ecdd9feddad2b8b638abff600d022e08b

Open Source CERT Security Advisory 2009.16

Change Mirror Download
#2009-016 Poppler, Xpdf integer overflows during heap allocation

Description:

Poppler and Xpdf are two popular open source projects for processing PDF
files. Both projects are vulnerable to an integer overflow during heap
memory allocation when processing a PDF file. In general, this results
in unexpected process termination. If an application using this code is
multi-threaded (or uses a crash signal handler), it may be possible to
execute arbitrary code.

The vulnerability resides in the object stream handler. In particular,
a multiplicative overflow occurs when a large number of embedded objects
are specified. An overflow check was in place in the code, but it only
protected related calls to gmalloc(). The C++ object array allocation
code (new[]) is not guarded by the upper bound check and the call to
new[] does not result in an exception with gcc. This results in bytes
being written after the valid heap allocation during object
construction.

Both software packages have released fixed versions which limit the allowed
object count to a domain specific value.

A detailed analysis by the reporter can be found in the References.


Affected version:

Poppler < 0.12.1

Xpdf < 3.02pl4


Fixed version:

Poppler >= 0.12.1

Xpdf >= 3.02pl4


Credit: vulnerability report and PoC received from
Chris Rohlf <chris.rohlf@gmail.com>.


CVE: CVE-2009-3608


Timeline:

2009-09-04: vulnerability report received
2009-09-17: proof of concept received from reporter
2009-09-21: impact reviewed
2009-09-29: contacted poppler maintainer
2009-09-29: vendor-sec notified
2009-09-30: vendor-sec discussion expanded to include xpdf maintainer
2009-10-02: final fix agreed upon by both maintainers
2009-10-12: CVE assigned by Tomas Hoger of RedHat
2009-10-14: fixed Xpdf released
2009-10-18: fixed Poppler released
2009-10-21: advisory published


References:
http://poppler.freedesktop.org/
http://www.foolabs.com/xpdf/CHANGES
http://chargen.matasano.com/chargen/2009/10/9/a-c-challenge.html
http://chargen.matasano.com/chargen/2009/10/15/a-c-challenge-the-conclusion.html
http://sites.google.com/site/em386cr/Home/CVE-2009-3608-explained.txt
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351


Permalink:
http://www.ocert.org/advisories/ocert-2009-016.html

--
Will Drewry <redpig@ocert.org>
http://ocert.org
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close