Michael S Gilbert
2009-Aug-01 06:50 UTC
[Secure-testing-team] patch for CVE-2009-0146, 0147, 0755 in poppler in lenny
hello, i have developed a patched for lenny derived from ubuntu''s patches for a set of recent JBIG2 poppler/xpdf issues and an upstream patch for 2009-0755. see attached. here are my notes on the work: - 2009-0756 already applied (pdf demonstrator did not crash evince with vanilla lenny-security poppler) - 2009-0755 i applied fixes from upstream patch (ubuntu patch does not contain the fix for this; tested before and after against sample file); also this is apparently just a dos - 2009-0146/0147 i applied fixes from ubuntu patch - i also applied a couple additional fixes to use gmallocn from the ubuntu patch, but i couldn''t find a reference CVE for these changes - note that key info for 0146/147/0166 is restricted in embargoed redhat bug https://bugzilla.redhat.com/attachment.cgi?id=336465, can someone who has access to this check to see if anything important is there? - my best guess is that the fix for 2009-0166 is very likely already applied; i checked against gentoo patch (http://bugs.gentoo.org/attachment.cgi?id=187654) which claims to fix all 0146/0147/0166 and more; all of the changes in thier patch were already applied in the previous debian patch for this batch of CVEs i plan to generate a patch for etch also, but will not have any free time tomorrow. i should be able to get to it on sunday. mike -------------- next part -------------- A non-text attachment was scrubbed... Name: 12_CVE_2009-0146_2009-0147_2009-0755 Type: application/octet-stream Size: 2261 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090801/b58550a8/attachment.obj>
Michael S. Gilbert
2009-Aug-01 15:37 UTC
[Secure-testing-team] patch for CVE-2009-0146, 0147, 0755 in poppler in lenny
On Sat, 1 Aug 2009 02:50:20 -0400 Michael S Gilbert wrote:> i have developed a patched for lenny derived from ubuntu''s patches for > a set of recent JBIG2 poppler/xpdf issues and an upstream patch for > 2009-0755. see attached. here are my notes on the work: > > - 2009-0756 already applied (pdf demonstrator did not crash evince > with vanilla lenny-security poppler) > - 2009-0755 i applied fixes from upstream patch (ubuntu patch does not > contain the fix for this; tested before and after against sample > file); also this is apparently just a dos > - 2009-0146/0147 i applied fixes from ubuntu patch > - i also applied a couple additional fixes to use gmallocn from the > ubuntu patch, but i couldn''t find a reference CVE for these changes > > - note that key info for 0146/147/0166 is restricted in embargoed > redhat bug https://bugzilla.redhat.com/attachment.cgi?id=336465, can > someone who has access to this check to see if anything important is > there? > - my best guess is that the fix for 2009-0166 is very likely already > applied; i checked against gentoo patch > (http://bugs.gentoo.org/attachment.cgi?id=187654) which claims to fix > all 0146/0147/0166 and more; all of the changes in thier patch were > already applied in the previous debian patch for this batch of CVEs > > i plan to generate a patch for etch also, but will not have any free > time tomorrow. i should be able to get to it on sunday.here are my thoughts on this after a night sleeping on it: - the integer overflow mods in my patch may or may not be for CVE-2009-0146/0147 (even though i said they were in the comments); they address something among the JBIG2 issues - however those mods bring debian''s 0.8.7 poppler code to parity with ubuntu''s 0.8.7 poppler (debian''s patches lacked four changes that are in ubuntu''s patches); wherein they claim CVE-2009-0146/0147/0166 and all the other JBIG2 issues are fixed, but the evidence is non-existant. i''ve sent a mail asking them about this - it also brings debian''s code to parity with gentoo''s wherein they also claim to address all of those CVEs including 0146/0147/0166, but again the evidence does not exist - i''ve asked upstream for help, but they have a lot of animosity toward the CVE process (claiming that its just a way to make money off of bugs). they do not have an answer on whether they''ve addressed 0146/0147/0166, but they suggested the patch for the other JBIG issues, which is what ubuntu and gentoo derived from. - i''ve also asked redhat to unembargo their reports on these issues since they may have some useful info their my best estimate is that all of the problems are indeed fixed (if my patch is included), but there are some open questions. question is how should i tag this in the tracker? and do you want to issue a DSA, which includes those fixes? mike