Bug 1106879 (CVE-2018-16369) - VUL-1: CVE-2018-16369: xpdf: XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause a denial ofservice (stack consumption) via a crafted pdf file, related toAcroForm::scanField, as demonstrated by pdftohtml.
Summary: VUL-1: CVE-2018-16369: xpdf: XRef::fetch in XRef.cc in Xpdf 4.00 allows remot...
Status: RESOLVED INVALID
: 1106985 (view as bug list)
Alias: CVE-2018-16369
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Peter Simons
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/213652/
Whiteboard: CVSSv3:SUSE:CVE-2018-16369:3.3:(AV:L...
Keywords:
Depends on:
Blocks: 1133493
  Show dependency treegraph
 
Reported: 2018-09-03 08:38 UTC by Marcus Meissner
Modified: 2023-06-14 14:48 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xpdf-stack-overflow-poc-1 (40.11 KB, application/pdf)
2018-09-03 08:42 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-09-03 08:38:45 UTC 
CVE-2018-16369

XRef::fetch in XRef.cc in Xpdf 4.00 allows remote attackers to cause a denial of
service (stack consumption) via a crafted pdf file, related to
AcroForm::scanField, as demonstrated by pdftohtml.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16369
Comment 1 Marcus Meissner 2018-09-03 08:42:31 UTC 
Created attachment 781656 [details]
xpdf-stack-overflow-poc-1

QA REPRODUCER:

pdftohtml xpdf-stack-overflow-poc-1

or

valgrind pdftohtml xpdf-stack-overflow-poc-1


(note poppler-tools seems not affected, it detects the loop)
Comment 2 Karol Babioch 2018-09-04 06:41:41 UTC 
*** Bug 1106985 has been marked as a duplicate of this bug. ***
Comment 3 Petr Gajdos 2023-06-12 14:06:25 UTC 
Indeed, I get

$ valgrind  -q pdftohtml xpdf-stack-overflow-poc-1.pdf
[..]
Syntax Error (899): Dictionary key must be a name object
Syntax Error (905): Dictionary key must be a name object
Syntax Error (905): Dictionary key must be a name object
Syntax Error (916): Dictionary key must be a name object
Syntax Error (926): Dictionary key must be a name object
Syntax Error (933): Dictionary key must be a name object
Syntax Error (935): Dictionary key must be a name object
Syntax Error (937): Dictionary key must be a name object
Syntax Error (941): Dictionary key must be a name object
Syntax Error (943): Dictionary key must be a name object
Syntax Error (950): Dictionary key must be a name object
Syntax Error: Loop in Pages tree
$

for TW,15,12/poppler. However, I get the large loop for 11sp1/poppler:

<loop>
Error (758): Illegal character '>'
Error (763): Dictionary key must be a name object
Error (769): Dictionary key must be a name object
Error (798): Illegal character ')'
Error (798): Dictionary key must be a name object
Error (820): Dictionary key must be a name object
Error (820): Illegal character '{'
Error (820): Dictionary key must be a name object
Error (846): Dictionary key must be a name object
Error (846): Dictionary key must be a name object
Error (849): Dictionary key must be a name object
Error (849): Illegal character '{'
Error (849): Dictionary key must be a name object
Error (899): Dictionary key must be a name object
Error (899): Illegal character ')'
Error (899): Dictionary key must be a name object
Error (905): Dictionary key must be a name object
Error (905): Dictionary key must be a name object
Error (916): Dictionary key must be a name object
Error (926): Dictionary key must be a name object
Error (933): Dictionary key must be a name object
Error (935): Dictionary key must be a name object
Error (937): Dictionary key must be a name object
Error (941): Dictionary key must be a name object
Error (943): Dictionary key must be a name object
Error (950): Dictionary key must be a name object
</loop>

11sp1/poppler seems to be vulnerable.
Comment 4 Petr Gajdos 2023-06-13 06:51:28 UTC 
(In reply to Petr Gajdos from comment #3)
> 11sp1/poppler seems to be vulnerable.

However, 11sp1/poppler is not maintained anymore. I suggest to close this bug.