Bug#684243: poppler code embedded in luatex and possibly may be out of date and vulnerable
Package: luatex
Severity: important
Tags: security
I have
been working on a tool called Clonewise to automatically identify
embedded code copies in Debian packages and determine if they are out of
date and vulnerable. Ideally, embedding code and libraries should be
avoided and a system wide library should be used instead.
I recently ran the tool on Debian 6 stable. The results are here at http://www.foocodechu.com/downloads/Clonewise-report.txt
The luatex package reported potential issues appended to this message.
The
analysis tries to justify why it believes a library or code is embedded
in the package and if the relationship is not already being tracked by
Debian in the embedded-code-copies database it shows the files that are
shared between the two pieces of software.
Apologies if these are false positives. Your help in advising me on
whether these issues are real will help me improve the analysis for the
future.
--
Silvio Cesare
Deakin University
### Summary:
###
poppler CLONED_IN_SOURCE luatex <unfixed> CVE-2010-3703
### Reports by package:
###
# Package luatex may be vulnerable to the following issues:
#
CVE-2010-3703
# SUMMARY: The PostScriptFunction::PostScriptFunction function in poppler/Function.cc in the PDF parser in poppler 0.8.7 and possibly other versions up to 0.15.1, and possibly other products, allows context-dependent attackers to cause a denial of service (crash) via a PDF file that triggers an uninitialized pointer dereference.
#
# CVE-2010-3703 relates to a vulnerability in package poppler.
# The following source filenames are likely responsible:
# function.c
#
# The following package clones are NOT tracked in the embedded-code-copies
# database.
#
poppler CLONED_IN_SOURCE luatex <unfixed> CVE-2010-3703
MATCH abstractinfodock.c/abstractinfodock.c (9.117128)
MATCH abwoutputdev.c/abwoutputdev.c (9.117128)
MATCH annot.c/annot.c (7.245326)
MATCH array.c/array.c (4.826669)
MATCH arthuroutputdev.c/arthuroutputdev.c (9.117128)
MATCH attachments.c/attachments.c (7.864365)
MATCH builtinfont.c/builtinfont.c (8.200837)
MATCH builtinfonttables.c/builtinfonttables.c (8.200837)
MATCH cairofontengine.c/cairofontengine.c (9.117128)
MATCH cairooutputdev.c/cairooutputdev.c (9.117128)
MATCH catalog.c/catalog.c (6.254927)
MATCH charcodetounicode.c/charcodetounicode.c (8.200837)
MATCH checkactualtext.c/checkactualtext.c (9.117128)
MATCH checkattachments.c/checkattachments.c (9.117128)
MATCH checkdateconversion.c/checkdateconversion.c (9.117128)
MATCH checkfonts.c/checkfonts.c (9.117128)
MATCH checklinks.c/checklinks.c (8.711663)
MATCH checkmetadata.c/checkmetadata.c (9.117128)
MATCH checkoptcontent.c/checkoptcontent.c (9.117128)
MATCH checkpagelayout.c/checkpagelayout.c (9.117128)
MATCH checkpagemode.c/checkpagemode.c (9.117128)
MATCH checkpassword.c/checkpassword.c (8.200837)
MATCH checkpermissions.c/checkpermissions.c (9.117128)
MATCH checksearch.c/checksearch.c (8.711663)
MATCH cmap.c/cmap.c (6.719233)
MATCH dateinfo.c/dateinfo.c (9.117128)
MATCH dctstream.c/dctstream.c (9.117128)
MATCH decrypt.c/decrypt.c (6.632221)
MATCH dict.c/dict.c (5.310465)
MATCH documentobserver.c/documentobserver.c (8.711663)
MATCH embeddedfiles.c/embeddedfiles.c (9.117128)
MATCH error.c/error.c (3.435250)
MATCH filespec.c/filespec.c (8.423981)
MATCH find.c/find.c (5.699401)
MATCH fixedpoint.c/fixedpoint.c (8.200837)
MATCH flatestream.c/flatestream.c (9.117128)
MATCH fofibase.c/fofibase.c (8.200837)
MATCH fofiencodings.c/fofiencodings.c (8.200837)
MATCH fofitruetype.c/fofitruetype.c (8.200837)
MATCH fofitype.c/fofitype.c (8.200837)
MATCH fontencodingtables.c/fontencodingtables.c (8.200837)
MATCH fontinfo.c/fontinfo.c (7.171218)
MATCH fonts.c/fonts.c (6.049075)
MATCH form.c/form.c (5.918455)
MATCH function.c/function.c (5.156315)
MATCH genunicodetables.py/genunicodetables.py (9.117128)
MATCH gfile.c/file.c (3.746490)
MATCH gfx.c/gfx.c (6.409078)
MATCH gfxfont.c/gfxfont.c (8.200837)
MATCH gfxstate.c/gfxstate.c (8.200837)
MATCH globalparams.c/globalparams.c (8.200837)
MATCH globalparamswin.c/globalparamswin.c (9.117128)
MATCH gmem.c/gmem.c (7.325368)
MATCH gmempp.c/gmempp.c (8.018516)
MATCH goohash.c/goohash.c (9.117128)
MATCH goolist.c/goolist.c (9.117128)
MATCH goostring.c/goostring.c (9.117128)
MATCH gootimer.c/gootimer.c (9.117128)
MATCH gstrtod.c/gstrtod.c (9.117128)
MATCH gtkcairotest.c/gtkcairotest.c (9.117128)
MATCH gtksplashtest.c/gtksplashtest.c (9.117128)
MATCH htmlfonts.c/htmlfonts.c (9.117128)
MATCH htmllinks.c/htmllinks.c (9.117128)
MATCH htmloutputdev.c/htmloutputdev.c (9.117128)
MATCH imageoutputdev.c/imageoutputdev.c (8.200837)
MATCH images.c/images.c (6.226756)
MATCH info.c/info.c (4.833541)
MATCH jarithmeticdecoder.c/jarithmeticdecoder.c (8.200837)
MATCH jbigstream.c/jbigstream.c (8.200837)
MATCH jpegstream.c/jpegstream.c (9.117128)
MATCH jpxstream.c/jpxstream.c (8.200837)
MATCH layers.c/layers.c (7.245326)
MATCH lexer.c/lexer.c (5.344367)
MATCH link.c/link.c (5.344367)
MATCH main.c/main.c (1.999517)
MATCH mainviewer.c/mainviewer.c (9.117128)
MATCH metadata.c/metadata.c (5.784924)
MATCH movie.c/movie.c (6.865836)
MATCH nametocharcode.c/nametocharcode.c (8.200837)
MATCH navigationtoolbar.c/navigationtoolbar.c (9.117128)
MATCH object.c/lobject.c (6.313767)
MATCH optcontent.c/optcontent.c (9.117128)
MATCH optionalcontent.c/optionalcontent.c (9.117128)
MATCH outline.c/outline.c (6.514438)
MATCH outputdev.c/outputdev.c (8.200837)
MATCH page.c/page.c (5.561780)
MATCH pagelabelinfo.c/pagelabelinfo.c (9.117128)
MATCH pagetransition.c/pagetransition.c (8.711663)
MATCH pageview.c/pageview.c (8.200837)
MATCH parseargs.c/parseargs.c (6.919903)
MATCH parser.c/lparser.c (6.254927)
MATCH pdfdoc.c/pdfdoc.c (7.730834)
MATCH pdfdocencoding.c/pdfdocencoding.c (8.200837)
MATCH pdffonts.c/pdffonts.c (8.200837)
MATCH pdffullrewrite.c/pdffullrewrite.c (9.117128)
MATCH pdfimages.c/pdfimages.c (8.200837)
MATCH pdfinfo.c/pdfinfo.c (7.864365)
MATCH pdfinspector.c/pdfinspector.c (9.117128)
MATCH pdfoperators.c/pdfoperators.c (8.711663)
MATCH pdftoabw.c/pdftoabw.c (9.117128)
MATCH pdftohtml.c/pdftohtml.c (9.117128)
MATCH pdftoppm.c/pdftoppm.c (8.200837)
MATCH pdftops.c/pdftops.c (7.864365)
MATCH pdftotext.c/pdftotext.c (8.200837)
MATCH perftest.c/perftest.c (7.864365)
MATCH perftestpreviewdummy.c/perftestpreviewdummy.c (9.117128)
MATCH permissions.c/permissions.c (7.864365)
MATCH pngwriter.c/pngwrite.c (6.283915)
MATCH poppler.c/poppler.c (8.711663)
MATCH poppleraction.c/poppleraction.c (9.117128)
MATCH popplerannot.c/popplerannot.c (9.117128)
MATCH popplerannotation.c/popplerannotation.c (9.117128)
MATCH popplerattachment.c/popplerattachment.c (9.117128)
MATCH popplerbaseconverter.c/popplerbaseconverter.c (9.117128)
MATCH popplercache.c/popplercache.c (9.117128)
MATCH popplerdate.c/popplerdate.c (9.117128)
MATCH popplerdocument.c/popplerdocument.c (8.711663)
MATCH popplerembeddedfile.c/popplerembeddedfile.c (9.117128)
MATCH popplerenums.c/popplerenums.c (9.117128)
MATCH popplerfont.c/popplerfonts.c (9.117128)
MATCH popplerfontinfo.c/popplerfontinfo.c (9.117128)
MATCH popplerform.c/popplerform.c (9.117128)
MATCH popplerformfield.c/popplerformfield.c (9.117128)
MATCH popplerimage.c/popplerpage.c (8.711663)
MATCH popplerlayer.c/popplerlayer.c (9.117128)
MATCH popplerlink.c/popplerlink.c (9.117128)
MATCH popplerlinkextractor.c/popplerlinkextractor.c (9.117128)
MATCH popplermovie.c/popplermovie.c (9.117128)
MATCH poppleroptcontent.c/poppleroptcontent.c (9.117128)
MATCH popplerpagetransition.c/popplerpagetransition.c (9.117128)
MATCH popplerpdfconverter.c/popplerpdfconverter.c (9.117128)
MATCH popplerprivate.c/popplerprivate.c (9.117128)
MATCH popplerqiodeviceoutstream.c/popplerqiodeviceoutstream.c (9.117128)
MATCH popplersound.c/popplersound.c (9.117128)
MATCH popplertextbox.c/popplertextbox.c (9.117128)
MATCH prescanoutputdev.c/prescanoutputdev.c (8.200837)
MATCH print.c/print.c (4.444299)
MATCH printencodings.c/printencodings.c (9.117128)
MATCH profiledata.c/profiledata.c (8.711663)
MATCH psoutputdev.c/psoutputdev.c (8.200837)
MATCH pstokenizer.c/pstokenizer.c (8.200837)
MATCH render.c/render.c (5.391435)
MATCH securityhandler.c/securityhandler.c (8.200837)
MATCH sound.c/sound.c (4.511958)
MATCH splash.c/splash.c (5.859032)
MATCH splashbitmap.c/splashbitmap.c (8.200837)
MATCH splashclip.c/splashclip.c (8.200837)
MATCH splashfont.c/splashfont.c (8.200837)
MATCH splashfontengine.c/splashfontengine.c (8.200837)
MATCH splashfontfile.c/splashfontfile.c (8.200837)
MATCH splashoutputdev.c/splashoutputdev.c (8.200837)
MATCH splashpath.c/splashpath.c (8.200837)
MATCH splashpattern.c/splashpattern.c (8.200837)
MATCH splashscreen.c/splashscreen.c (6.719233)
MATCH splashstate.c/splashstate.c (8.200837)
MATCH splashxpathscanner.c/splashxpathscanner.c (8.200837)
MATCH stream.c/stream.c (4.622890)
MATCH stresspopplerdir.c/stresspopplerdir.c (9.117128)
MATCH stresspopplerqt.c/stresspopplerqt.c (9.117128)
MATCH testpasswordqt.c/testpasswordqt.c (9.117128)
MATCH testpopplerglib.c/testpopplerglib.c (9.117128)
MATCH testpopplerqt.c/testpopplerqt.c (9.117128)
MATCH text.c/text.c (4.376553)
MATCH textoutputdev.c/textoutputdev.c (8.200837)
MATCH thumbnails.c/thumbnails.c (8.018516)
MATCH toc.c/toc.c (6.719233)
MATCH transitions.c/transitions.c (8.200837)
MATCH unicodemap.c/unicodemap.c (7.613050)
MATCH unicodetypetable.c/unicodetypetable.c (8.200837)
MATCH utils.c/utils.c (3.387028)
MATCH viewer.c/viewer.c (6.199357)
MATCH xpdfpluginapi.c/xpdfpluginapi.c (8.200837)
MATCH xref.c/xref.c (6.919903)
Reply to: