Bugzilla – Bug 1023380
VUL-1: CVE-2017-5886: podofo: heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken (PdfTokenizer.cpp)
Last modified: 2019-08-16 15:24:20 UTC
Ref: http://seclists.org/oss-sec/2017/q1/301 =============================================== Description: podofo is a C++ library to work with the PDF file format. A fuzz on it discovered an heap overflow. The upstream project denies me to open a new ticket. So, Iām unable to communicate with them. This will probably forwarded the the -users mailing list. The complete ASan output: # podofopdfinfo $FILE ==13498==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001dd00 at pc 0x7fdb98e8ab81 bp 0x7ffcef268950 sp 0x7ffcef268948 WRITE of size 1 at 0x62100001dd00 thread T0 #0 0x7fdb98e8ab80 in PoDoFo::PdfTokenizer::GetNextToken(char const*&, PoDoFo::EPdfTokenType*) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:319:35 #1 0x7fdb98e8bb56 in PoDoFo::PdfTokenizer::GetNextNumber() /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:356:27 #2 0x7fdb98e57903 in PoDoFo::PdfParserObject::ReadObjectNumber() /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParserObject.cpp:105:30 #3 0x7fdb98e58d00 in PoDoFo::PdfParserObject::ParseFile(PoDoFo::PdfEncrypt*, bool) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParserObject.cpp:134:9 #4 0x7fdb98e38c91 in PoDoFo::PdfParser::ReadTrailer() /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:603:56 #5 0x7fdb98e33127 in PoDoFo::PdfParser::ReadDocumentStructure() /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:283:9 #6 0x7fdb98e30e0f in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:220:9 #7 0x7fdb98e2f1d4 in PoDoFo::PdfParser::ParseFile(char const*, bool) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:164:11 #8 0x7fdb9908c3f3 in PoDoFo::PdfMemDocument::Load(char const*) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:186:16 #9 0x50e8cb in count_pages(char const*, bool const&) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:45:14 #10 0x50ecd6 in main /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:86:24 #11 0x7fdb97a6861f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #12 0x41b5a8 in _start (/usr/bin/podofocountpages+0x41b5a8) 0x62100001dd00 is located 0 bytes to the right of 4096-byte region [0x62100001cd00,0x62100001dd00) allocated by thread T0 here: #0 0x4d4565 in calloc /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72 #1 0x7fdb98e17989 in PoDoFo::podofo_calloc(unsigned long, unsigned long) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfMemoryManagement.cpp:139:9 #2 0x7fdb98e621f8 in PoDoFo::PdfRefCountedBuffer::ReallyResize(unsigned long) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.cpp:166:59 #3 0x7fdb98e86044 in PoDoFo::PdfRefCountedBuffer::Resize(unsigned long) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.h:307:9 #4 0x7fdb98e86044 in PoDoFo::PdfRefCountedBuffer::PdfRefCountedBuffer(unsigned long) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfRefCountedBuffer.h:227 #5 0x7fdb98e86044 in PoDoFo::PdfTokenizer::PdfTokenizer() /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:186 #6 0x7fdb98e2debe in PoDoFo::PdfParser::PdfParser(PoDoFo::PdfVecObjects*) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:76:7 #7 0x7fdb9908c3a5 in PoDoFo::PdfMemDocument::Load(char const*) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:185:21 #8 0x50e8cb in count_pages(char const*, bool const&) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:45:14 #9 0x50ecd6 in main /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocountpages/countpages.cpp:86:24 #10 0x7fdb97a6861f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfTokenizer.cpp:319:35 in PoDoFo::PdfTokenizer::GetNextToken(char const*&, PoDoFo::EPdfTokenType*) Shadow bytes around the buggy address: 0x0c427fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c427fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c427fffbba0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c427fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13498==ABORTING Affected version: 0.9.4 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00146-podofo-heapoverflow-PdfTokenizer Timeline: 2017-02-02: bug discovered 2017-02-03: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp -- Agostino Sarubbo Gentoo Linux Developer ===============================================
Created attachment 712722 [details] PoC Reproducer
bugbot adjusting priority
All codestreams are affected. QA reproducer: Using attachment 712722 [details] I've reproduced this on openSUSE Leap 42.2 like this: valgrind podofopdfinfo 00146-podofo-heapoverflow-PdfTokenizer The program will not visibly crash, but valgrind will report invalid write of size 1 and an invalid read of size 1.
There are patches floating on the mailing list, but not yet accepted upstream.
Reassign to security-team since a patch was submitted to SUSE:SLE-12:Update in isr 167536
SUSE-SU-2018:2481-1: An update that fixes 16 vulnerabilities is now available. Category: security (moderate) Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075772,1084894 CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5308,CVE-2018-8001 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): podofo-0.9.2-3.3.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): podofo-0.9.2-3.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): podofo-0.9.2-3.3.1
This is an autogenerated message for OBS integration: This bug (1023380) was mentioned in https://build.opensuse.org/request/show/664264 42.3 / podofo https://build.opensuse.org/request/show/664265 15.0 / podofo
openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available. Category: security (important) Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894 CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001 Sources used: openSUSE Leap 42.3 (src): podofo-0.9.6-10.3.1
*** Bug 1084902 has been marked as a duplicate of this bug. ***
closing