On 16/09/2013 19:12, Pino Toscano wrote: > forwarded 722705 https://bugs.freedesktop.org/show_bug.cgi?id=26280 > fixed 722705 poppler/0.16.3-1 > thanks > > Hi, > > In data venerdì 13 settembre 2013 16:23:11, hai scritto: > >> Package: libpoppler5 >> Version: 0.12.4-1.2+squeeze3 >> Severity: important >> >> In DCTStream.cc::init(), when initializing a jpeg stream, a custom >> error_exit handler is set. >> According to libjpeg's documentation, this handler should not return >> to the caller. >> (cf. >> http://www.opensource.apple.com/source/tcl/tcl-87/tcl_ext/tkimg/tkimg/ >> libjpeg/libjpeg.doc ; "Error Handling") >> The custom handler (exitErrorHandler) does return to the caller. >> > This is true, and it has been fixed upstream with the rework of the > error handling with: > - fc071d8 [1] (poppler 0.13.3+) -- that is the main change > - 301352e [2] (0.17.0+, backported to 0.16.1 as 7bcf4e1 [3]) > - 42c1b1c [4] (0.17.2+) > - 70e6af4 [5] (0.23.0+) > > Most of those are part of 0.18.4 as shipped in stable, which seems safe > ([5] does not seem critical enough). > > Regarding oldstable: yes, the problem is there, but applying the patches > needed (even if just [1], which is the core of the "refactoring") > basically breaks the ABI (DCTStream changes size, so may cause troubles > to applications linking directly to the private libpoppler), and this is > basically a no-go for oldstable. > > [1] fc071d800cb4329a3ccf898d7bf16b4db7323ad8 > [2] 301352e5585d4ab6e7b609b4ab79b4d8b8656092 > [3] 7bcf4e1f050c16e7a72ca633589602b252ab46cc > [4] 42c1b1c4af6b07f488d1b2b02a4700f19b0ab0ef > [5] 70e6af4739d2eea58e6f3200a8c9467597a12ae5 > > >> This induces several vulnerabilities in jpeg handling, and at least >> one of these can be exploited to run arbitrary code (for example in >> evince, when it's not compiled as PIE, as in debian 6) >> > Do you have any pointers to CVEs related to this issue, or possible > exploits because of this mishandling? > > Thanks, > Hi, It seems that there have been no CVE about this patch. Though the bug is exploitable in oldstable. The patch should be applied.
Thanks,
0xC5F0C4E7.asc
Description: application/pgp-keys
0xC5F0C4E7.asc
Description: application/pgp-keys
