安全研究
安全漏洞
多家厂商xpdf JPX流阅读器堆溢出漏洞
发布日期:2005-12-06
更新日期:2005-12-06
受影响系统:
Xpdf Xpdf <= 3.01不受影响系统:
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
Xpdf Xpdf 3.01pl1描述:
BUGTRAQ ID: 15721
CVE(CAN) ID: CAN-2005-3193
Xpdf是便携文档格式(PDF)文件的开放源码浏览器。
多家厂商软件版本所捆绑的xpdf中存在堆溢出漏洞。
用于解码嵌入JPEG 2000图形的JPX流解析代码没有充分的验证用户输入。xpdf/JPXStream.cc的JPXStream::readCodestream函数从PDF文件的用户可控数据读取nXTiles的值,然后在gmallocn()调用中使用nXTiles和nYTiles值,如下所示:
GBool JPXStream::readCodestream(Guint len) {
...
switch (segType) {
case 0x4f: // SOC - start of codestream
// marker only
break;
case 0x51: // SIZ - image and tile size
if (!readUWord(&capabilities) ||
!readULong(&img.xSize) ||
!readULong(&img.ySize) ||
!readULong(&img.xOffset) ||
!readULong(&img.yOffset) ||
!readULong(&img.xTileSize) ||
!readULong(&img.yTileSize) ||
!readULong(&img.xTileOffset) ||
!readULong(&img.yTileOffset) ||
!readUWord(&img.nComps)) {
error(getPos(), "Error in JPX SIZ marker segment");
return gFalse;
}
...
img.nXTiles = (img.xSize - img.xTileOffset + img.xTileSize - 1) /
img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) /
img.yTileSize;
img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
sizeof(JPXTile));
然后在JPEG格式解析代码中再次使用了这些值将文件数据拷贝到堆中预先分配的缓冲区。提供给nXTiles和nYTiles的过大值会破坏堆内存,导致拒绝服务或执行任意代码。
<*来源:infamous41md (infamous41md@hotpop.com)
链接:http://lwn.net/Alerts/162881/?format=printable
http://www.idefense.com/application/poi/display?id=345&type=vulnerabilities
*>
建议:
厂商补丁:
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2005:840-01)以及相应补丁:
RHSA-2005:840-01:Important: xpdf security update
链接:http://lwn.net/Alerts/162881/?format=printable
补丁下载:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/xpd...
7a1ec5ee2b0e182671178e129d23d02f xpdf-0.92-16.src.rpm
i386:
631fd9d85e54b843f39cfece3c96e299 xpdf-0.92-16.i386.rpm
ia64:
bd83cdfddc43521d6877fef706fda973 xpdf-0.92-16.ia64.rpm
Red Hat Linux Advanced Workstation 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/xpd...
7a1ec5ee2b0e182671178e129d23d02f xpdf-0.92-16.src.rpm
ia64:
bd83cdfddc43521d6877fef706fda973 xpdf-0.92-16.ia64.rpm
Red Hat Enterprise Linux ES version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/xpd...
7a1ec5ee2b0e182671178e129d23d02f xpdf-0.92-16.src.rpm
i386:
631fd9d85e54b843f39cfece3c96e299 xpdf-0.92-16.i386.rpm
Red Hat Enterprise Linux WS version 2.1:
SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/xpd...
7a1ec5ee2b0e182671178e129d23d02f xpdf-0.92-16.src.rpm
i386:
631fd9d85e54b843f39cfece3c96e299 xpdf-0.92-16.i386.rpm
Red Hat Enterprise Linux AS version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/xpdf-...
2faf50967ceb94d897d52eb9c29429c3 xpdf-2.02-9.7.src.rpm
i386:
e5ec318a045404236d7515c512c52e18 xpdf-2.02-9.7.i386.rpm
ia64:
1dc462b0bfeb0a11a608d2de041adafd xpdf-2.02-9.7.ia64.rpm
ppc:
0d98945bc02703d08dbf833d0e1787aa xpdf-2.02-9.7.ppc.rpm
s390:
3cb519b83be112558603623fee44c528 xpdf-2.02-9.7.s390.rpm
s390x:
eac98a768aa2c0b25af4d102ff1569b8 xpdf-2.02-9.7.s390x.rpm
x86_64:
a6e7d4a9449af1f6147b094497aa33b9 xpdf-2.02-9.7.x86_64.rpm
Red Hat Desktop version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/...
2faf50967ceb94d897d52eb9c29429c3 xpdf-2.02-9.7.src.rpm
i386:
e5ec318a045404236d7515c512c52e18 xpdf-2.02-9.7.i386.rpm
x86_64:
a6e7d4a9449af1f6147b094497aa33b9 xpdf-2.02-9.7.x86_64.rpm
Red Hat Enterprise Linux ES version 3:
SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/xpdf-...
2faf50967ceb94d897d52eb9c29429c3 xpdf-2.02-9.7.src.rpm
i386:
e5ec318a045404236d7515c512c52e18 xpdf-2.02-9.7.i386.rpm
ia64:
1dc462b0bfeb0a11a608d2de041adafd xpdf-2.02-9.7.ia64.rpm
x86_64:
a6e7d4a9449af1f6147b094497aa33b9 xpdf-2.02-9.7.x86_64.rpm
Red Hat Enterprise Linux WS version 3:
SRPMS:
ftp://updates.redhat.com/enterpr
可使用下列命令安装补丁:
rpm -Fvh [文件名]
Xpdf
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.01pl1.patch
http://www.foolabs.com/xpdf/download.html
浏览次数:4109
严重程度:0(网友投票)
绿盟科技给您安全的保障