The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
Xpdf is "an open-source viewer for Portable Document Format (PDF) files".
Remote exploitation of a buffer overflow vulnerability in the xpdf PDF
viewer, as included in multiple Linux distributions, could allow attackers
to execute arbitrary code as the user viewing a PDF file.
DETAILS
Vulnerable Systems:
* xpdf version 3.00
Immune Systems:
* xpdf version 3.00pl2
The offending code can be found in the Gfx::doImage() function in the
source file xpdf/Gfx.cc.
void Gfx::doImage(Object *ref, Stream *str, GBool inlineImg) {
Dict *dict;
int width, height;
int bits;
GBool mask;
GBool invert;
GfxColorSpace *colorSpace;
GfxImageColorMap *colorMap;
Object maskObj;
GBool haveMask;
int maskColors[2*gfxColorMaxComps];
Object obj1, obj2;
int i;
...
// get the mask
haveMask = gFalse;
dict->lookup("Mask", &maskObj);
if (maskObj.isArray()) {
for (i = 0; i < maskObj.arrayGetLength(); ++i) {
maskObj.arrayGet(i, &obj1);
[!] maskColors[i] = obj1.getInt();
obj1.free();
}
haveMask = gTrue;
}
...
}
Due to the fact that the loop boundaries are not less than the storage
area, the maskColors array is eventually filled up. After that, local
variables and other stack memory is overwritten. This ultimately leads to
control of program flow and arbitrary code execution.
Analysis:
The severity of this issue is mitigated by the fact that several of the
local overwritten variables in doImage() are referenced prior to EIP being
restored; therefore, before the attack gains control of the target
process. However, an attacker with knowledge of the remote operating
system can construct and validate a malicious payload before attempting
exploitation, thus increasing the chances of success. An attacker must
convince a target user to open the malicious file to exploit this
vulnerability.
Vendor response:
A patch to address this vulnerability is available from:
<ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch>
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch
Updated binaries (version 3.00pl2) are available from:
<http://www.foolabs.com/xpdf/download.html>
http://www.foolabs.com/xpdf/download.html
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125>
CAN-2004-1125
Disclosure timeline:
11/23/2004 - Initial vendor notification
11/29/2004 - Initial vendor response
12/21/2004 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
