Bug 1023380 (CVE-2017-5886)

Summary: VUL-1: CVE-2017-5886: podofo: heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken (PdfTokenizer.cpp)
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: alarrosa, astieger, atoptsoglou, karol, matthias.gerstner
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/179914/
Whiteboard: CVSSv2:SUSE:CVE-2017-5886:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-5886:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2017-5886:7.8:(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2017-5886:4.3:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: PoC Reproducer

Description Mikhail Kasimov 2017-02-03 09:42:04 UTC 
Ref: http://seclists.org/oss-sec/2017/q1/301
===============================================
Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered an heap overflow. The upstream project denies me to 
open a new ticket. So, I’m unable to communicate with them.
This will probably forwarded the the -users mailing list.

The complete ASan output:

# podofopdfinfo $FILE
==13498==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x62100001dd00 at pc 0x7fdb98e8ab81 bp 0x7ffcef268950 sp 0x7ffcef268948
WRITE of size 1 at 0x62100001dd00 thread T0
    #0 0x7fdb98e8ab80 in PoDoFo::PdfTokenizer::GetNextToken(char const*&, 
PoDoFo::EPdfTokenType*) /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:319:35
    #1 0x7fdb98e8bb56 in PoDoFo::PdfTokenizer::GetNextNumber() 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:356:27
    #2 0x7fdb98e57903 in PoDoFo::PdfParserObject::ReadObjectNumber() 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParserObject.cpp:105:30
    #3 0x7fdb98e58d00 in 
PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParserObject.cpp:134:9
    #4 0x7fdb98e38c91 in PoDoFo::PdfParser::ReadTrailer() /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:603:56
    #5 0x7fdb98e33127 in PoDoFo::PdfParser::ReadDocumentStructure() 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:283:9
    #6 0x7fdb98e30e0f in 
PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:220:9
    #7 0x7fdb98e2f1d4 in PoDoFo::PdfParser::ParseFile(char const*, bool) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:164:11
    #8 0x7fdb9908c3f3 in PoDoFo::PdfMemDocument::Load(char const*) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:186:16
    #9 0x50e8cb in count_pages(char const*, bool const&) /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:45:14
    #10 0x50ecd6 in main /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:86:24
    #11 0x7fdb97a6861f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #12 0x41b5a8 in _start (/usr/bin/podofocountpages+0x41b5a8)

0x62100001dd00 is located 0 bytes to the right of 4096-byte region 
[0x62100001cd00,0x62100001dd00)
allocated by thread T0 here:
    #0 0x4d4565 in calloc /tmp/portage/sys-devel/llvm-3.9.0-
r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72
    #1 0x7fdb98e17989 in PoDoFo::podofo_calloc(unsigned long, unsigned long) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfMemoryManagement.cpp:139:9
    #2 0x7fdb98e621f8 in PoDoFo::PdfRefCountedBuffer::ReallyResize(unsigned 
long) /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.cpp:166:59
    #3 0x7fdb98e86044 in PoDoFo::PdfRefCountedBuffer::Resize(unsigned long) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.h:307:9
    #4 0x7fdb98e86044 in 
PoDoFo::PdfRefCountedBuffer::PdfRefCountedBuffer(unsigned long) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.h:227
    #5 0x7fdb98e86044 in PoDoFo::PdfTokenizer::PdfTokenizer() 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:186
    #6 0x7fdb98e2debe in PoDoFo::PdfParser::PdfParser(PoDoFo::PdfVecObjects*) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:76:7
    #7 0x7fdb9908c3a5 in PoDoFo::PdfMemDocument::Load(char const*) 
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:185:21
    #8 0x50e8cb in count_pages(char const*, bool const&) /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:45:14
    #9 0x50ecd6 in main /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:86:24
    #10 0x7fdb97a6861f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:319:35 in 
PoDoFo::PdfTokenizer::GetNextToken(char const*&, PoDoFo::EPdfTokenType*)
Shadow bytes around the buggy address:
  0x0c427fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffbba0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13498==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00146-podofo-heapoverflow-PdfTokenizer

Timeline:
2017-02-02: bug discovered
2017-02-03: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp

-- 
Agostino Sarubbo
Gentoo Linux Developer
===============================================
Comment 1 Mikhail Kasimov 2017-02-03 09:43:23 UTC 
Created attachment 712722 [details]
PoC Reproducer
Comment 2 Swamp Workflow Management 2017-02-03 23:00:16 UTC 
bugbot adjusting priority
Comment 3 Matthias Gerstner 2017-02-06 15:08:41 UTC 
All codestreams are affected.

QA reproducer:

Using attachment 712722 [details] I've reproduced this on openSUSE Leap 42.2 like this:

  valgrind podofopdfinfo 00146-podofo-heapoverflow-PdfTokenizer

The program will not visibly crash, but valgrind will report invalid write of
size 1 and an invalid read of size 1.
Comment 4 Peter Linnell 2017-03-02 20:54:57 UTC 
There are patches floating on the mailing list, but not yet accepted upstream.
Comment 6 Antonio Larrosa 2018-06-26 14:31:18 UTC 
Reassign to security-team since a patch was submitted to SUSE:SLE-12:Update in isr 167536
Comment 7 Swamp Workflow Management 2018-08-22 19:09:13 UTC 
SUSE-SU-2018:2481-1: An update that fixes 16 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5308,CVE-2018-8001
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    podofo-0.9.2-3.3.1
Comment 8 Swamp Workflow Management 2019-01-10 08:00:33 UTC 
This is an autogenerated message for OBS integration:
This bug (1023380) was mentioned in
https://build.opensuse.org/request/show/664264 42.3 / podofo
https://build.opensuse.org/request/show/664265 15.0 / podofo
Comment 9 Swamp Workflow Management 2019-01-18 20:11:30 UTC 
openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001
Sources used:
openSUSE Leap 42.3 (src):    podofo-0.9.6-10.3.1
Comment 10 Alexandros Toptsoglou 2019-02-28 16:03:38 UTC 
*** Bug 1084902 has been marked as a duplicate of this bug. ***
Comment 11 Alexandros Toptsoglou 2019-02-28 16:36:19 UTC 
closing