Hi, since this bug has been open for quite a while, I'm currently preparing an NMU for this bug, using the attached patch. I'm going to upload it without a delay.
Regards, Frank -- Frank Küster Inst. f. Biochemie der Univ. Zürich Debian Developer
diff -Nur poppler-0.4.2/debian/changelog poppler-0.4.2.new/debian/changelog --- poppler-0.4.2/debian/changelog 2005-12-23 16:48:41.997756352 +0100 +++ poppler-0.4.2.new/debian/changelog 2005-12-23 16:48:21.697842408 +0100 @@ -1,3 +1,26 @@ +poppler (0.4.2-1.1) unstable; urgency=high + + * SECURITY UPDATE: Multiple integer/buffer overflows. + + * NMU to fix RC security bug (closes: #342288) + * Add debian/patches/04_CVE-2005-3191_2_3.patch taken from Ubuntu, + thanks to Martin Pitt: + * poppler/Stream.cc, DCTStream::readBaselineSOF(), + DCTStream::readProgressiveSOF(), DCTStream::readScanInfo(): + - Check numComps for invalid values. + - http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities + - CVE-2005-3191 + * poppler/Stream.cc, StreamPredictor::StreamPredictor(): + - Check rowBytes for invalid values. + - http://www.idefense.com/application/poi/display?id=344&type=vulnerabilities + - CVE-2005-3192 + * poppler/JPXStream.cc, JPXStream::readCodestream(): + - Check img.nXTiles * img.nYTiles for integer overflow. + - http://www.idefense.com/application/poi/display?id=345&type=vulnerabilities + - CVE-2005-3193 + + -- Frank Küster <[EMAIL PROTECTED]> Fri, 23 Dec 2005 16:36:30 +0100 + poppler (0.4.2-1) unstable; urgency=low * GNOME Team upload. diff -Nur poppler-0.4.2/debian/patches/04_CVE-2005-3191_2_3.patch poppler-0.4.2.new/debian/patches/04_CVE-2005-3191_2_3.patch --- poppler-0.4.2/debian/patches/04_CVE-2005-3191_2_3.patch 1970-01-01 01:00:00.000000000 +0100 +++ poppler-0.4.2.new/debian/patches/04_CVE-2005-3191_2_3.patch 2005-12-23 16:15:37.000000000 +0100 @@ -0,0 +1,156 @@ +diff -Nur poppler-0.4.2/poppler/JPXStream.cc poppler-0.4.2.new/poppler/JPXStream.cc +--- poppler-0.4.2/poppler/JPXStream.cc 2005-03-03 20:46:03.000000000 +0100 ++++ poppler-0.4.2.new/poppler/JPXStream.cc 2005-12-09 17:41:42.000000000 +0100 +@@ -7,6 +7,7 @@ + //======================================================================== + + #include <config.h> ++#include <limits.h> + + #ifdef USE_GCC_PRAGMAS + #pragma implementation +@@ -666,7 +667,7 @@ + int segType; + GBool haveSIZ, haveCOD, haveQCD, haveSOT; + Guint precinctSize, style; +- Guint segLen, capabilities, comp, i, j, r; ++ Guint segLen, capabilities, nTiles, comp, i, j, r; + + //----- main header + haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; +@@ -701,8 +702,18 @@ + / img.xTileSize; + img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) + / img.yTileSize; +- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * +- sizeof(JPXTile)); ++ // check for overflow before allocating memory ++ if (img.nXTiles <= 0 || img.nYTiles <= 0 || ++ img.nXTiles >= INT_MAX/img.nYTiles) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } ++ nTiles = img.nXTiles * img.nYTiles; ++ if (nTiles >= INT_MAX/sizeof(JPXTile)) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } ++ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile)); + for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { + img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * + sizeof(JPXTileComp)); +diff -Nur poppler-0.4.2/poppler/Stream.cc poppler-0.4.2.new/poppler/Stream.cc +--- poppler-0.4.2/poppler/Stream.cc 2005-04-27 22:56:18.000000000 +0200 ++++ poppler-0.4.2.new/poppler/Stream.cc 2005-12-09 17:40:53.000000000 +0100 +@@ -15,6 +15,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <stddef.h> ++#include <limits.h> + #ifndef WIN32 + #include <unistd.h> + #endif +@@ -420,13 +421,28 @@ + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps >= INT_MAX/nBits || ++ width >= INT_MAX/nComps/nBits) { ++ return; ++ } + nVals = width * nComps; ++ if (nVals * nBits + 7 <= 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; + rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ if (rowBytes < 0) { ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +@@ -1020,6 +1036,10 @@ + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +@@ -2907,6 +2927,10 @@ + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream", prec); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2933,6 +2957,10 @@ + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream", prec); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2955,6 +2983,10 @@ + + length = read16() - 2; + scanInfo.numComps = str->getChar(); ++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + --length; + if (length != 2 * scanInfo.numComps + 3) { + error(getPos(), "Bad DCT scan info block"); +@@ -3268,6 +3300,10 @@ + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +diff -Nur poppler-0.4.2/poppler/Stream.h poppler-0.4.2.new/poppler/Stream.h +--- poppler-0.4.2/poppler/Stream.h 2005-04-27 22:56:18.000000000 +0200 ++++ poppler-0.4.2.new/poppler/Stream.h 2005-12-09 17:40:53.000000000 +0100 +@@ -231,6 +231,8 @@ + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +@@ -248,6 +250,7 @@ + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; + }; + + //------------------------------------------------------------------------
