[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#684243: marked as done (poppler code embedded in luatex and possibly may be out of date and vulnerable)

Your message dated Wed, 22 Aug 2012 22:45:40 +0200
with message-id <20120822204540.GB23147@preusse-16223.user.cis.dfn.de>
and subject line Re: Bug#684243: poppler code embedded in luatex and possibly may be out of date and vulnerable
has caused the Debian Bug report #684243,
regarding poppler code embedded in luatex and possibly may be out of date and vulnerable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
684243: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684243
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- Package: luatex
Severity: important
Tags: security

I have been working on a tool called Clonewise to automatically identify embedded code copies in Debian packages and determine if they are out of date and vulnerable. Ideally, embedding code and libraries should be avoided and a system wide library should be used instead.

I recently ran the tool on Debian 6 stable. The results are here at http://www.foocodechu.com/downloads/Clonewise-report.txt

The luatex package reported potential issues appended to this message.

The analysis tries to justify why it believes a library or code is embedded in the package and if the relationship is not already being tracked by Debian in the embedded-code-copies database it shows the files that are shared between the two pieces of software.

Apologies if these are false positives. Your help in advising me on whether these issues are real will help me improve the analysis for the future.

--
Silvio Cesare
Deakin University

### Summary:
###
poppler CLONED_IN_SOURCE luatex <unfixed> CVE-2010-3703
### Reports by package:
###
# Package luatex may be vulnerable to the following issues:
#
	CVE-2010-3703


# SUMMARY: The PostScriptFunction::PostScriptFunction function in poppler/Function.cc in the PDF parser in poppler 0.8.7 and possibly other versions up to 0.15.1, and possibly other products, allows context-dependent attackers to cause a denial of service (crash) via a PDF file that triggers an uninitialized pointer dereference.
#

# CVE-2010-3703 relates to a vulnerability in package poppler.
# The following source filenames are likely responsible:
#	function.c
#

# The following package clones are NOT tracked in the embedded-code-copies
# database.
#

poppler CLONED_IN_SOURCE luatex <unfixed> CVE-2010-3703
		MATCH abstractinfodock.c/abstractinfodock.c (9.117128)
		MATCH abwoutputdev.c/abwoutputdev.c (9.117128)
		MATCH annot.c/annot.c (7.245326)
		MATCH array.c/array.c (4.826669)
		MATCH arthuroutputdev.c/arthuroutputdev.c (9.117128)
		MATCH attachments.c/attachments.c (7.864365)
		MATCH builtinfont.c/builtinfont.c (8.200837)
		MATCH builtinfonttables.c/builtinfonttables.c (8.200837)
		MATCH cairofontengine.c/cairofontengine.c (9.117128)
		MATCH cairooutputdev.c/cairooutputdev.c (9.117128)
		MATCH catalog.c/catalog.c (6.254927)
		MATCH charcodetounicode.c/charcodetounicode.c (8.200837)
		MATCH checkactualtext.c/checkactualtext.c (9.117128)
		MATCH checkattachments.c/checkattachments.c (9.117128)
		MATCH checkdateconversion.c/checkdateconversion.c (9.117128)
		MATCH checkfonts.c/checkfonts.c (9.117128)
		MATCH checklinks.c/checklinks.c (8.711663)
		MATCH checkmetadata.c/checkmetadata.c (9.117128)
		MATCH checkoptcontent.c/checkoptcontent.c (9.117128)
		MATCH checkpagelayout.c/checkpagelayout.c (9.117128)
		MATCH checkpagemode.c/checkpagemode.c (9.117128)
		MATCH checkpassword.c/checkpassword.c (8.200837)
		MATCH checkpermissions.c/checkpermissions.c (9.117128)
		MATCH checksearch.c/checksearch.c (8.711663)
		MATCH cmap.c/cmap.c (6.719233)
		MATCH dateinfo.c/dateinfo.c (9.117128)
		MATCH dctstream.c/dctstream.c (9.117128)
		MATCH decrypt.c/decrypt.c (6.632221)
		MATCH dict.c/dict.c (5.310465)
		MATCH documentobserver.c/documentobserver.c (8.711663)
		MATCH embeddedfiles.c/embeddedfiles.c (9.117128)
		MATCH error.c/error.c (3.435250)
		MATCH filespec.c/filespec.c (8.423981)
		MATCH find.c/find.c (5.699401)
		MATCH fixedpoint.c/fixedpoint.c (8.200837)
		MATCH flatestream.c/flatestream.c (9.117128)
		MATCH fofibase.c/fofibase.c (8.200837)
		MATCH fofiencodings.c/fofiencodings.c (8.200837)
		MATCH fofitruetype.c/fofitruetype.c (8.200837)
		MATCH fofitype.c/fofitype.c (8.200837)
		MATCH fontencodingtables.c/fontencodingtables.c (8.200837)
		MATCH fontinfo.c/fontinfo.c (7.171218)
		MATCH fonts.c/fonts.c (6.049075)
		MATCH form.c/form.c (5.918455)
		MATCH function.c/function.c (5.156315)
		MATCH genunicodetables.py/genunicodetables.py (9.117128)
		MATCH gfile.c/file.c (3.746490)
		MATCH gfx.c/gfx.c (6.409078)
		MATCH gfxfont.c/gfxfont.c (8.200837)
		MATCH gfxstate.c/gfxstate.c (8.200837)
		MATCH globalparams.c/globalparams.c (8.200837)
		MATCH globalparamswin.c/globalparamswin.c (9.117128)
		MATCH gmem.c/gmem.c (7.325368)
		MATCH gmempp.c/gmempp.c (8.018516)
		MATCH goohash.c/goohash.c (9.117128)
		MATCH goolist.c/goolist.c (9.117128)
		MATCH goostring.c/goostring.c (9.117128)
		MATCH gootimer.c/gootimer.c (9.117128)
		MATCH gstrtod.c/gstrtod.c (9.117128)
		MATCH gtkcairotest.c/gtkcairotest.c (9.117128)
		MATCH gtksplashtest.c/gtksplashtest.c (9.117128)
		MATCH htmlfonts.c/htmlfonts.c (9.117128)
		MATCH htmllinks.c/htmllinks.c (9.117128)
		MATCH htmloutputdev.c/htmloutputdev.c (9.117128)
		MATCH imageoutputdev.c/imageoutputdev.c (8.200837)
		MATCH images.c/images.c (6.226756)
		MATCH info.c/info.c (4.833541)
		MATCH jarithmeticdecoder.c/jarithmeticdecoder.c (8.200837)
		MATCH jbigstream.c/jbigstream.c (8.200837)
		MATCH jpegstream.c/jpegstream.c (9.117128)
		MATCH jpxstream.c/jpxstream.c (8.200837)
		MATCH layers.c/layers.c (7.245326)
		MATCH lexer.c/lexer.c (5.344367)
		MATCH link.c/link.c (5.344367)
		MATCH main.c/main.c (1.999517)
		MATCH mainviewer.c/mainviewer.c (9.117128)
		MATCH metadata.c/metadata.c (5.784924)
		MATCH movie.c/movie.c (6.865836)
		MATCH nametocharcode.c/nametocharcode.c (8.200837)
		MATCH navigationtoolbar.c/navigationtoolbar.c (9.117128)
		MATCH object.c/lobject.c (6.313767)
		MATCH optcontent.c/optcontent.c (9.117128)
		MATCH optionalcontent.c/optionalcontent.c (9.117128)
		MATCH outline.c/outline.c (6.514438)
		MATCH outputdev.c/outputdev.c (8.200837)
		MATCH page.c/page.c (5.561780)
		MATCH pagelabelinfo.c/pagelabelinfo.c (9.117128)
		MATCH pagetransition.c/pagetransition.c (8.711663)
		MATCH pageview.c/pageview.c (8.200837)
		MATCH parseargs.c/parseargs.c (6.919903)
		MATCH parser.c/lparser.c (6.254927)
		MATCH pdfdoc.c/pdfdoc.c (7.730834)
		MATCH pdfdocencoding.c/pdfdocencoding.c (8.200837)
		MATCH pdffonts.c/pdffonts.c (8.200837)
		MATCH pdffullrewrite.c/pdffullrewrite.c (9.117128)
		MATCH pdfimages.c/pdfimages.c (8.200837)
		MATCH pdfinfo.c/pdfinfo.c (7.864365)
		MATCH pdfinspector.c/pdfinspector.c (9.117128)
		MATCH pdfoperators.c/pdfoperators.c (8.711663)
		MATCH pdftoabw.c/pdftoabw.c (9.117128)
		MATCH pdftohtml.c/pdftohtml.c (9.117128)
		MATCH pdftoppm.c/pdftoppm.c (8.200837)
		MATCH pdftops.c/pdftops.c (7.864365)
		MATCH pdftotext.c/pdftotext.c (8.200837)
		MATCH perftest.c/perftest.c (7.864365)
		MATCH perftestpreviewdummy.c/perftestpreviewdummy.c (9.117128)
		MATCH permissions.c/permissions.c (7.864365)
		MATCH pngwriter.c/pngwrite.c (6.283915)
		MATCH poppler.c/poppler.c (8.711663)
		MATCH poppleraction.c/poppleraction.c (9.117128)
		MATCH popplerannot.c/popplerannot.c (9.117128)
		MATCH popplerannotation.c/popplerannotation.c (9.117128)
		MATCH popplerattachment.c/popplerattachment.c (9.117128)
		MATCH popplerbaseconverter.c/popplerbaseconverter.c (9.117128)
		MATCH popplercache.c/popplercache.c (9.117128)
		MATCH popplerdate.c/popplerdate.c (9.117128)
		MATCH popplerdocument.c/popplerdocument.c (8.711663)
		MATCH popplerembeddedfile.c/popplerembeddedfile.c (9.117128)
		MATCH popplerenums.c/popplerenums.c (9.117128)
		MATCH popplerfont.c/popplerfonts.c (9.117128)
		MATCH popplerfontinfo.c/popplerfontinfo.c (9.117128)
		MATCH popplerform.c/popplerform.c (9.117128)
		MATCH popplerformfield.c/popplerformfield.c (9.117128)
		MATCH popplerimage.c/popplerpage.c (8.711663)
		MATCH popplerlayer.c/popplerlayer.c (9.117128)
		MATCH popplerlink.c/popplerlink.c (9.117128)
		MATCH popplerlinkextractor.c/popplerlinkextractor.c (9.117128)
		MATCH popplermovie.c/popplermovie.c (9.117128)
		MATCH poppleroptcontent.c/poppleroptcontent.c (9.117128)
		MATCH popplerpagetransition.c/popplerpagetransition.c (9.117128)
		MATCH popplerpdfconverter.c/popplerpdfconverter.c (9.117128)
		MATCH popplerprivate.c/popplerprivate.c (9.117128)
		MATCH popplerqiodeviceoutstream.c/popplerqiodeviceoutstream.c (9.117128)
		MATCH popplersound.c/popplersound.c (9.117128)
		MATCH popplertextbox.c/popplertextbox.c (9.117128)
		MATCH prescanoutputdev.c/prescanoutputdev.c (8.200837)
		MATCH print.c/print.c (4.444299)
		MATCH printencodings.c/printencodings.c (9.117128)
		MATCH profiledata.c/profiledata.c (8.711663)
		MATCH psoutputdev.c/psoutputdev.c (8.200837)
		MATCH pstokenizer.c/pstokenizer.c (8.200837)
		MATCH render.c/render.c (5.391435)
		MATCH securityhandler.c/securityhandler.c (8.200837)
		MATCH sound.c/sound.c (4.511958)
		MATCH splash.c/splash.c (5.859032)
		MATCH splashbitmap.c/splashbitmap.c (8.200837)
		MATCH splashclip.c/splashclip.c (8.200837)
		MATCH splashfont.c/splashfont.c (8.200837)
		MATCH splashfontengine.c/splashfontengine.c (8.200837)
		MATCH splashfontfile.c/splashfontfile.c (8.200837)
		MATCH splashoutputdev.c/splashoutputdev.c (8.200837)
		MATCH splashpath.c/splashpath.c (8.200837)
		MATCH splashpattern.c/splashpattern.c (8.200837)
		MATCH splashscreen.c/splashscreen.c (6.719233)
		MATCH splashstate.c/splashstate.c (8.200837)
		MATCH splashxpathscanner.c/splashxpathscanner.c (8.200837)
		MATCH stream.c/stream.c (4.622890)
		MATCH stresspopplerdir.c/stresspopplerdir.c (9.117128)
		MATCH stresspopplerqt.c/stresspopplerqt.c (9.117128)
		MATCH testpasswordqt.c/testpasswordqt.c (9.117128)
		MATCH testpopplerglib.c/testpopplerglib.c (9.117128)
		MATCH testpopplerqt.c/testpopplerqt.c (9.117128)
		MATCH text.c/text.c (4.376553)
		MATCH textoutputdev.c/textoutputdev.c (8.200837)
		MATCH thumbnails.c/thumbnails.c (8.018516)
		MATCH toc.c/toc.c (6.719233)
		MATCH transitions.c/transitions.c (8.200837)
		MATCH unicodemap.c/unicodemap.c (7.613050)
		MATCH unicodetypetable.c/unicodetypetable.c (8.200837)
		MATCH utils.c/utils.c (3.387028)
		MATCH viewer.c/viewer.c (6.199357)
		MATCH xpdfpluginapi.c/xpdfpluginapi.c (8.200837)
		MATCH xref.c/xref.c (6.919903)

--- End Message ---
--- Begin Message --- 
On 08.08.12 Silvio Cesare (silvio.cesare@gmail.com) wrote:

Hi,

> This appears to be a false positive in my tool due to some older package
> information I was using, which meant that it didn't detect that the
> libpoppler shared library/package was being used - even though the poppler
> source code was in the luatex tree.
> 
Closing then.

Hilmar
-- 
sigmentation fault

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: