Bugzilla – Bug 1112428
VUL-1: CVE-2018-18456: xpdf: Object:isName() in Object.h called from Gfx:opSetFillColorN stack-based buffer over-read
Last modified: 2024-05-07 08:57:18 UTC
CVE-2018-18456 The function Object::isName() in Object.h (called from Gfx::opSetFillColorN) in Xpdf 4.00 allows remote attackers to cause a denial of service (stack-based buffer over-read) via a crafted pdf file, as demonstrated by pdftoppm. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18456 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-18456.html
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41217 https://github.com/TeamSeri0us/pocs/tree/master/xpdf/2018_10_16/pdftoppm For 15/poppler only: # valgrind pdftoppm Object::isName@Object.h-134___stack-buffer-overflow [..] ==7715== Invalid read of size 4 ==7715== at 0x4FAFF96: setFlag (XRef.h:90) ==7715== by 0x4FAFF96: Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:289) ==7715== by 0x4FB0823: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:135) ==7715== by 0x4FB051F: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:93) ==7715== by 0x4FB0671: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:120) ==7715== by 0x4FB051F: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:93) ==7715== by 0x4FB0671: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:120) ==7715== by 0x4FB051F: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:93) ==7715== by 0x4FB0671: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:120) ==7715== by 0x4FB051F: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:93) ==7715== by 0x4FB0671: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:120) ==7715== by 0x4FB051F: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:93) ==7715== by 0x4FB0671: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:120) ==7715== Address 0xc17ca08 is 1,816 bytes inside a block of size 40,960 free'd ==7715== at 0x4C2F24B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==7715== by 0x4FCA0BE: XRef::constructXRef(bool*, bool) (XRef.cc:874) ==7715== by 0x4FCBEE5: XRef::readXRefUntil(int, std::vector<int, std::allocator<int> >*) (XRef.cc:1595) ==7715== by 0x4FCBFB3: XRef::getEntry(int, bool) (XRef.cc:1639) ==7715== by 0x4FCCF10: XRef::getNumEntry(long long) (XRef.cc:1305) ==7715== by 0x4FA4244: Lexer::getObj(char const*, int) (Lexer.cc:591) ==7715== by 0x4FAFAF6: Parser::shift(char const*, int) (Parser.cc:334) ==7715== by 0x4FAFE52: Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:256) ==7715== by 0x4FB0823: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:135) ==7715== by 0x4FB051F: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:93) ==7715== by 0x4FB0671: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:120) ==7715== by 0x4FB051F: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:93) ==7715== Block was alloc'd at ==7715== at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==7715== by 0x4F09374: grealloc (gmem.cc:161) ==7715== by 0x4F09374: greallocn (gmem.cc:240) ==7715== by 0x4F09374: greallocn_checkoverflow (gmem.cc:248) ==7715== by 0x4FC95F2: XRef::reserve(int) (XRef.cc:454) ==7715== by 0x4FC9894: XRef::resize(int) (XRef.cc:471) ==7715== by 0x4FCA60E: XRef::constructXRef(bool*, bool) (XRef.cc:965) ==7715== by 0x4FCBC2C: XRef::XRef(BaseStream*, long long, long long, bool*, bool) (XRef.cc:334) ==7715== by 0x4FB2DA7: PDFDoc::setup(GooString*, GooString*) (PDFDoc.cc:271) ==7715== by 0x4FB307B: PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) (PDFDoc.cc:178) ==7715== by 0x4FA81C4: LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) (LocalPDFDocBuilder.cc:31) ==7715== by 0x10A9AD: main (pdftoppm.cc:482) [..] ==7715== HEAP SUMMARY: ==7715== in use at exit: 90,216 bytes in 2,388 blocks ==7715== total heap usage: 37,148 allocs, 34,760 frees, 99,566,718 bytes allocated ==7715== ==7715== LEAK SUMMARY: ==7715== definitely lost: 80 bytes in 2 blocks ==7715== indirectly lost: 0 bytes in 0 blocks ==7715== possibly lost: 0 bytes in 0 blocks ==7715== still reachable: 90,136 bytes in 2,386 blocks ==7715== suppressed: 0 bytes in 0 blocks ==7715== Rerun with --leak-check=full to see details of leaked memory ==7715== ==7715== For counts of detected and suppressed errors, rerun with: -v ==7715== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 0 from 0) :/1112xx #
The original testcase seems to not exhibit the xpdf issue, just another one. Now I get the valgrind error below also for 12sp2 and 12. It does not happen in 15sp2 or 15sp4.
Similar to 1112424. Perhaps https://cgit.freedesktop.org/poppler/poppler/commit/?id=eb40274320381deca89898fb78b57091d2b804cc ?
Also similar to 1140745. Will submit as poppler-setFlag-invalid-read.patch as I do not think the valgrind error corresponds to this CVE.
Will submit for 15,12sp2/poppler.
Packages submitted. I believe all fixed.
SUSE-SU-2023:4187-1: An update that solves four vulnerabilities can now be installed. Category: security (moderate) Bug References: 1112424, 1112428, 1140745, 1214256 CVE References: CVE-2018-18454, CVE-2018-18456, CVE-2019-13287, CVE-2020-36023 Sources used: openSUSE Leap 15.4 (src): poppler-0.62.0-150000.4.28.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4362-1: An update that solves nine vulnerabilities can now be installed. Category: security (moderate) Bug References: 1112424, 1112428, 1128114, 1129202, 1140745, 1143570, 1214256, 1214723, 1214726 CVE References: CVE-2018-18454, CVE-2018-18456, CVE-2019-13287, CVE-2019-14292, CVE-2019-9545, CVE-2019-9631, CVE-2020-36023, CVE-2022-37052, CVE-2022-48545 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1 SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.