多家厂商xpdf DCTStream Baseline堆溢出漏洞

发布日期：2005-12-06
更新日期：2005-12-06

受影响系统：

Xpdf Xpdf <= 3.01
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0

不受影响系统：

Xpdf Xpdf 3.01pl1

描述：

---

BUGTRAQ ID: 15727
CVE(CAN) ID: CAN-2005-3191

Xpdf是便携文档格式（PDF）文件的开放源码浏览器。

多家厂商软件版本所捆绑的xpdf中存在堆溢出漏洞。

DCT流解析代码没有充分的验证用户输入。xpdf/Stream.cc的DCTStream::readBaselineSOF函数从PDF文件的用户可控数据中读取numComps的值，然后在循环中使用该值将数据拷贝到预先分配的堆缓冲区中，如下所示：

GBool DCTStream::readBaselineSOF() {
...
numComps = str->getChar();
...
for (i = 0; i < numComps; i) {
compInfo[i].id = str->getChar();
c = str->getChar();
compInfo[i].hSample = (c >> 4) & 0x0f;
compInfo[i].vSample = c & 0x0f;
compInfo[i].quantTable = str->getChar();
}
...

向numComps提供过大的值就可以导致破坏堆内存。成功利用这个漏洞的攻击者可以导致拒绝服务或执行任意代码。

<*来源：infamous41md （infamous41md@hotpop.com）

链接：http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities
http://lwn.net/Alerts/162881/?format=printable
*>

建议：

---

厂商补丁：

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2005:840-01）以及相应补丁:
RHSA-2005:840-01：Important: xpdf security update
链接：http://lwn.net/Alerts/162881/?format=printable

补丁下载：

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/xpd...
7a1ec5ee2b0e182671178e129d23d02f xpdf-0.92-16.src.rpm

i386:
631fd9d85e54b843f39cfece3c96e299 xpdf-0.92-16.i386.rpm

ia64:
bd83cdfddc43521d6877fef706fda973 xpdf-0.92-16.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/xpd...
7a1ec5ee2b0e182671178e129d23d02f xpdf-0.92-16.src.rpm

ia64:
bd83cdfddc43521d6877fef706fda973 xpdf-0.92-16.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/xpd...
7a1ec5ee2b0e182671178e129d23d02f xpdf-0.92-16.src.rpm

i386:
631fd9d85e54b843f39cfece3c96e299 xpdf-0.92-16.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/xpd...
7a1ec5ee2b0e182671178e129d23d02f xpdf-0.92-16.src.rpm

i386:
631fd9d85e54b843f39cfece3c96e299 xpdf-0.92-16.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/xpdf-...
2faf50967ceb94d897d52eb9c29429c3 xpdf-2.02-9.7.src.rpm

i386:
e5ec318a045404236d7515c512c52e18 xpdf-2.02-9.7.i386.rpm

ia64:
1dc462b0bfeb0a11a608d2de041adafd xpdf-2.02-9.7.ia64.rpm

ppc:
0d98945bc02703d08dbf833d0e1787aa xpdf-2.02-9.7.ppc.rpm

s390:
3cb519b83be112558603623fee44c528 xpdf-2.02-9.7.s390.rpm

s390x:
eac98a768aa2c0b25af4d102ff1569b8 xpdf-2.02-9.7.s390x.rpm

x86_64:
a6e7d4a9449af1f6147b094497aa33b9 xpdf-2.02-9.7.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/...
2faf50967ceb94d897d52eb9c29429c3 xpdf-2.02-9.7.src.rpm

i386:
e5ec318a045404236d7515c512c52e18 xpdf-2.02-9.7.i386.rpm

x86_64:
a6e7d4a9449af1f6147b094497aa33b9 xpdf-2.02-9.7.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/xpdf-...
2faf50967ceb94d897d52eb9c29429c3 xpdf-2.02-9.7.src.rpm

i386:
e5ec318a045404236d7515c512c52e18 xpdf-2.02-9.7.i386.rpm

ia64:
1dc462b0bfeb0a11a608d2de041adafd xpdf-2.02-9.7.ia64.rpm

x86_64:
a6e7d4a9449af1f6147b094497aa33b9 xpdf-2.02-9.7.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有