Bug 1106879 (CVE-2018-16369)

Summary:	VUL-1: CVE-2018-16369: xpdf: XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause a denial ofservice (stack consumption) via a crafted pdf file, related toAcroForm::scanField, as demonstrated by pdftohtml.
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Peter Simons <peter.simons>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Minor
Priority:	P4 - Low	CC:	karol, pgajdos, smash_bz, stoyan.manolov
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/213652/
Whiteboard:	CVSSv3:SUSE:CVE-2018-16369:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) maint:planned:update
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1133493
Attachments:	xpdf-stack-overflow-poc-1

Description Marcus Meissner 2018-09-03 08:38:45 UTC

CVE-2018-16369

XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause a denial of
service (stack consumption) via a crafted pdf file, related to
AcroForm::scanField, as demonstrated by pdftohtml.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16369

Comment 1 Marcus Meissner 2018-09-03 08:42:31 UTC

Created attachment 781656 [details]
xpdf-stack-overflow-poc-1

QA REPRODUCER:

pdftohtml xpdf-stack-overflow-poc-1

or

valgrind pdftohtml xpdf-stack-overflow-poc-1


(note poppler-tools seems not affected, it detects the loop)

Comment 2 Karol Babioch 2018-09-04 06:41:41 UTC

*** Bug 1106985 has been marked as a duplicate of this bug. ***

Comment 3 Petr Gajdos 2023-06-12 14:06:25 UTC

Indeed, I get

$ valgrind  -q pdftohtml xpdf-stack-overflow-poc-1.pdf
[..]
Syntax Error (899): Dictionary key must be a name object
Syntax Error (905): Dictionary key must be a name object
Syntax Error (905): Dictionary key must be a name object
Syntax Error (916): Dictionary key must be a name object
Syntax Error (926): Dictionary key must be a name object
Syntax Error (933): Dictionary key must be a name object
Syntax Error (935): Dictionary key must be a name object
Syntax Error (937): Dictionary key must be a name object
Syntax Error (941): Dictionary key must be a name object
Syntax Error (943): Dictionary key must be a name object
Syntax Error (950): Dictionary key must be a name object
Syntax Error: Loop in Pages tree
$

for TW,15,12/poppler. However, I get the large loop for 11sp1/poppler:

<loop>
Error (758): Illegal character '>'
Error (763): Dictionary key must be a name object
Error (769): Dictionary key must be a name object
Error (798): Illegal character ')'
Error (798): Dictionary key must be a name object
Error (820): Dictionary key must be a name object
Error (820): Illegal character '{'
Error (820): Dictionary key must be a name object
Error (846): Dictionary key must be a name object
Error (846): Dictionary key must be a name object
Error (849): Dictionary key must be a name object
Error (849): Illegal character '{'
Error (849): Dictionary key must be a name object
Error (899): Dictionary key must be a name object
Error (899): Illegal character ')'
Error (899): Dictionary key must be a name object
Error (905): Dictionary key must be a name object
Error (905): Dictionary key must be a name object
Error (916): Dictionary key must be a name object
Error (926): Dictionary key must be a name object
Error (933): Dictionary key must be a name object
Error (935): Dictionary key must be a name object
Error (937): Dictionary key must be a name object
Error (941): Dictionary key must be a name object
Error (943): Dictionary key must be a name object
Error (950): Dictionary key must be a name object
</loop>

11sp1/poppler seems to be vulnerable.

Comment 4 Petr Gajdos 2023-06-13 06:51:28 UTC

(In reply to Petr Gajdos from comment #3)
> 11sp1/poppler seems to be vulnerable.

However, 11sp1/poppler is not maintained anymore. I suggest to close this bug.