forwarded 722705 https://bugs.freedesktop.org/show_bug.cgi?id=26280 fixed 722705 poppler/0.16.3-1 thanks
Hi, In data venerdì 13 settembre 2013 16:23:11, hai scritto: > Package: libpoppler5 > Version: 0.12.4-1.2+squeeze3 > Severity: important > > In DCTStream.cc::init(), when initializing a jpeg stream, a custom > error_exit handler is set. > According to libjpeg's documentation, this handler should not return > to the caller. > (cf. > http://www.opensource.apple.com/source/tcl/tcl-87/tcl_ext/tkimg/tkimg/ > libjpeg/libjpeg.doc ; "Error Handling") > The custom handler (exitErrorHandler) does return to the caller. This is true, and it has been fixed upstream with the rework of the error handling with: - fc071d8 [1] (poppler 0.13.3+) -- that is the main change - 301352e [2] (0.17.0+, backported to 0.16.1 as 7bcf4e1 [3]) - 42c1b1c [4] (0.17.2+) - 70e6af4 [5] (0.23.0+) Most of those are part of 0.18.4 as shipped in stable, which seems safe ([5] does not seem critical enough). Regarding oldstable: yes, the problem is there, but applying the patches needed (even if just [1], which is the core of the "refactoring") basically breaks the ABI (DCTStream changes size, so may cause troubles to applications linking directly to the private libpoppler), and this is basically a no-go for oldstable. [1] fc071d800cb4329a3ccf898d7bf16b4db7323ad8 [2] 301352e5585d4ab6e7b609b4ab79b4d8b8656092 [3] 7bcf4e1f050c16e7a72ca633589602b252ab46cc [4] 42c1b1c4af6b07f488d1b2b02a4700f19b0ab0ef [5] 70e6af4739d2eea58e6f3200a8c9467597a12ae5 > This induces several vulnerabilities in jpeg handling, and at least > one of these can be exploited to run arbitrary code (for example in > evince, when it's not compiled as PIE, as in debian 6) Do you have any pointers to CVEs related to this issue, or possible exploits because of this mishandling? Thanks, -- Pino Toscano
signature.asc
Description: This is a digitally signed message part.
