[Secure-testing-team] patch for CVE-2009-0146, 0147, 0755 in poppler in lenny
Michael S. Gilbert
michael.s.gilbert at gmail.com
Sat Aug 1 15:37:31 UTC 2009
On Sat, 1 Aug 2009 02:50:20 -0400 Michael S Gilbert wrote:
> i have developed a patched for lenny derived from ubuntu's patches for
> a set of recent JBIG2 poppler/xpdf issues and an upstream patch for
> 2009-0755. see attached. here are my notes on the work:
>
> - 2009-0756 already applied (pdf demonstrator did not crash evince
> with vanilla lenny-security poppler)
> - 2009-0755 i applied fixes from upstream patch (ubuntu patch does not
> contain the fix for this; tested before and after against sample
> file); also this is apparently just a dos
> - 2009-0146/0147 i applied fixes from ubuntu patch
> - i also applied a couple additional fixes to use gmallocn from the
> ubuntu patch, but i couldn't find a reference CVE for these changes
>
> - note that key info for 0146/147/0166 is restricted in embargoed
> redhat bug https://bugzilla.redhat.com/attachment.cgi?id=336465, can
> someone who has access to this check to see if anything important is
> there?
> - my best guess is that the fix for 2009-0166 is very likely already
> applied; i checked against gentoo patch
> (http://bugs.gentoo.org/attachment.cgi?id=187654) which claims to fix
> all 0146/0147/0166 and more; all of the changes in thier patch were
> already applied in the previous debian patch for this batch of CVEs
>
> i plan to generate a patch for etch also, but will not have any free
> time tomorrow. i should be able to get to it on sunday.
here are my thoughts on this after a night sleeping on it:
- the integer overflow mods in my patch may or may not be for
CVE-2009-0146/0147 (even though i said they were in the comments);
they address something among the JBIG2 issues
- however those mods bring debian's 0.8.7 poppler code to parity with
ubuntu's 0.8.7 poppler (debian's patches lacked four changes that are
in ubuntu's patches); wherein they claim CVE-2009-0146/0147/0166 and
all the other JBIG2 issues are fixed, but the evidence is
non-existant. i've sent a mail asking them about this
- it also brings debian's code to parity with gentoo's wherein they also
claim to address all of those CVEs including 0146/0147/0166, but again
the evidence does not exist
- i've asked upstream for help, but they have a lot of animosity toward
the CVE process (claiming that its just a way to make money off of
bugs). they do not have an answer on whether they've addressed
0146/0147/0166, but they suggested the patch for the other JBIG issues,
which is what ubuntu and gentoo derived from.
- i've also asked redhat to unembargo their reports on these issues
since they may have some useful info their
my best estimate is that all of the problems are indeed fixed (if my
patch is included), but there are some open questions. question is how
should i tag this in the tracker? and do you want to issue a DSA,
which includes those fixes?
mike
More information about the Secure-testing-team
mailing list