Sumatra PDF Denial Of Service Vulnerability

[Corrine]

Apparent distrust of Adobe PDF Reader has increased the popularity of my preferred alternate PDF application, Sumatra PDF.  It appears that the popularity has also attracted additional attention.  From Security Focus:

Sumatra PDF is prone to an unspecified denial-of-service vulnerability.

An attacker can exploit this issue to crash the affected application, resulting in a denial-of-service condition.

Sumatra PDF 1.1 is vulnerable; other versions may also be affected.

From the exploit information at Security Focus:

Vulnerability Detection Time : 21st June 2010, 1:13 AM         
       Tested on version 1.1 of Sumara PDF Reader                     
             Nature : Accidental Discovery 


Description : Sumatra PDF Reader crashed while testing recovered PDF   
               Files from a HardDisk. PDF Files recovered using Forensic
               Tools were large in size. DoS code has been optimised to 
               implement the crash with reduced file-size.               

Notes : This source can be modified after analyzing the crash appcompat
         files to write shell bind / other payloaded exploits.           
         Sumatra PDR Reader crashed when  PDF Files were already         
         associated to launch it.

[Corrine]

From http://forums.fofou.org/sumatrapdf/topic?id=765321#767321

This issue has been fixed already in what will become SumatraPDF 1.2. You can download a prerelease build for verifying this from http://blog.kowalczyk.info/software/sumatrapdf/prerelase.html

and http://forums.fofou.org/sumatrapdf/topic?id=765321#807321

Calling it an exploit or a denial of service is an exaggeration.

It's a crash, just like any other crash. Some crashes lead to an exploit but most don't and this one hasn't been shown to lead to an exploit.

Thus, we'll treat it as just any other ordinary crash i.e. it got fixed but we won't release an update every time a crash is fixed.