Bug 1140745 (CVE-2019-13287) - VUL-1: CVE-2019-13287: xpdf,poppler: In Xpdf 4.01.01, there is an out-of-bounds read vulnerability in the function SplashXPath:strokeAdjust() located at splash/SplashXPath.cc. It can, for example, be triggered by sending a crafted PDF docum
Summary: VUL-1: CVE-2019-13287: xpdf,poppler: In Xpdf 4.01.01, there is an out-of-boun...
Status: RESOLVED FIXED
Alias: CVE-2019-13287
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/236473/
Whiteboard: CVSSv3:SUSE:CVE-2019-13287:3.9:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-08 15:37 UTC by Wolfgang Frisch
Modified: 2024-05-06 13:11 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
PoC: pdftoppm CVE-2019-13287--av_00.pdf /dev/null (3.00 KB, application/pdf)
2019-07-08 15:37 UTC, Wolfgang Frisch 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-07-08 15:37:46 UTC 
Created attachment 809710 [details]
PoC: pdftoppm CVE-2019-13287--av_00.pdf /dev/null

CVE-2019-13287

In Xpdf 4.01.01, there is an out-of-bounds read vulnerability in the function
SplashXPath::strokeAdjust() located at splash/SplashXPath.cc. It can, for
example, be triggered by sending a crafted PDF document to the pdftoppm tool. It
might allow an attacker to cause Information Disclosure. This is related to
CVE-2018-16368.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13287
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13287.html
http://www.cvedetails.com/cve/CVE-2019-13287/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13287
https://github.com/PanguL4b/pocs/tree/master/xpdf/out-of-bounds-read-in-SplashXPath__strokeAdjust
Comment 2 Petr Gajdos 2023-06-13 10:28:35 UTC 
Only for 15, I get:

==32432== Invalid read of size 4
==32432==    at 0x4FAFF96: setFlag (XRef.h:90)
==32432==    by 0x4FAFF96: Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:289)
==32432==    by 0x4FB0823: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:135)
==32432==    by 0x4FCC765: XRef::fetch(int, int, int) (XRef.cc:1171)
==32432==    by 0x4FA9305: Object::fetch(XRef*, int) const (Object.cc:125)
==32432==    by 0x4FAECC0: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (Page.cc:557)
==32432==    by 0x10AE27: savePageSlice (pdftoppm.cc:276)
==32432==    by 0x10AE27: main (pdftoppm.cc:600)
==32432==  Address 0xc17aa80 is 496 bytes inside a block of size 40,960 free'd
==32432==    at 0x4C2F24B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32432==    by 0x4FCA0BE: XRef::constructXRef(bool*, bool) (XRef.cc:874)
==32432==    by 0x4FCBEE5: XRef::readXRefUntil(int, std::vector<int, std::allocator<int> >*) (XRef.cc:1595)
==32432==    by 0x4FCBFB3: XRef::getEntry(int, bool) (XRef.cc:1639)
==32432==    by 0x4FCCF10: XRef::getNumEntry(long long) (XRef.cc:1305)
==32432==    by 0x4FA4244: Lexer::getObj(char const*, int) (Lexer.cc:591)
==32432==    by 0x4FAFAF6: Parser::shift(char const*, int) (Parser.cc:334)
==32432==    by 0x4FAFE52: Parser::makeStream(Object&&, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:256)
==32432==    by 0x4FB0823: Parser::getObj(bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:135)
==32432==    by 0x4FCC765: XRef::fetch(int, int, int) (XRef.cc:1171)
==32432==    by 0x4FA9305: Object::fetch(XRef*, int) const (Object.cc:125)
==32432==    by 0x4FAECC0: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (Page.cc:557)
==32432==  Block was alloc'd at
==32432==    at 0x4C2E01F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32432==    by 0x4F09374: grealloc (gmem.cc:161)
==32432==    by 0x4F09374: greallocn (gmem.cc:240)
==32432==    by 0x4F09374: greallocn_checkoverflow (gmem.cc:248)
==32432==    by 0x4FC95F2: XRef::reserve(int) (XRef.cc:454)
==32432==    by 0x4FC9894: XRef::resize(int) (XRef.cc:471)
==32432==    by 0x4FCA60E: XRef::constructXRef(bool*, bool) (XRef.cc:965)
==32432==    by 0x4FCBC2C: XRef::XRef(BaseStream*, long long, long long, bool*, bool) (XRef.cc:334)
==32432==    by 0x4FB2DA7: PDFDoc::setup(GooString*, GooString*) (PDFDoc.cc:271)
==32432==    by 0x4FB307B: PDFDoc::PDFDoc(GooString*, GooString*, GooString*, void*) (PDFDoc.cc:178)
==32432==    by 0x4FA81C4: LocalPDFDocBuilder::buildPDFDoc(GooString const&, GooString*, GooString*, void*) (LocalPDFDocBuilder.cc:31)
==32432==    by 0x10A9AD: main (pdftoppm.cc:482)
==32432== 

Otherwise no valgrind errors.
Comment 3 Petr Gajdos 2023-06-20 16:58:35 UTC 
(In reply to Petr Gajdos from comment #2)
> Only for 15, I get:

Actually, this happens on 12sp2, too. Not for 15sp2+ and 12.

> ==32432== Invalid read of size 4
> ==32432==    at 0x4FAFF96: setFlag (XRef.h:90)
> ==32432==    by 0x4FAFF96: Parser::makeStream(Object&&, unsigned char*,
> CryptAlgorithm, int, int, int, int, bool) (Parser.cc:289)
> ==32432==    by 0x4FB0823: Parser::getObj(bool, unsigned char*,
> CryptAlgorithm, int, int, int, int, bool) (Parser.cc:135)
> ==32432==    by 0x4FCC765: XRef::fetch(int, int, int) (XRef.cc:1171)
> ==32432==    by 0x4FA9305: Object::fetch(XRef*, int) const (Object.cc:125)

This resembles a bit CVE-2018-20481 [bsc#1120495]
https://gitlab.freedesktop.org/poppler/poppler/-/issues/692

However, the valgrind error above happens with poppler patched for CVE-2018-20481 and CVE-2019-7310.
Comment 4 Petr Gajdos 2023-06-20 17:01:41 UTC 
Patch unknown.
Comment 5 Petr Gajdos 2023-10-17 07:57:03 UTC 
Part of:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/178fdef48c18dfdb2f1efea780ffd320631defcd
fixes the valgrind error.

12/poppler: setFlag is not called at all in makeStream(), considering unaffected


AFTER

15,12sp2/poppler:

$ valgrind  -q pdftoppm poc.pdf /dev/null
Syntax Warning: May not be a PDF file (continuing anyway)
Syntax Error (160): Illegal character '>'
Syntax Error (161): Dictionary key must be a name object
Syntax Error (162): Dictionary key must be a name object
Syntax Error (164): Dictionary key must be a name object
Syntax Error (174): Dictionary key must be a name object
Syntax Error (183): Dictionary key must be a name object
Syntax Error (187): Dictionary key must be a name object
Syntax Error (189): Dictionary key must be a name object
Syntax Error (201): Dictionary key must be a name object
Syntax Error (262): Dictionary key must be a name object
Syntax Error (264): Dictionary key must be a name object
Syntax Error (266): Dictionary key must be a name object
Syntax Error (268): Dictionary key must be a name object
Syntax Error (271): Dictionary key must be a name object
Syntax Error (282): Dictionary key must be a name object
Syntax Error (284): Dictionary key must be a name object
Syntax Error (290): Dictionary key must be a name object
Syntax Error (337): Dictionary key must be a name object
Syntax Error (341): Dictionary key must be a name object
Syntax Error: Pages top-level is a single Page. The document is malformed, trying to recover...
Syntax Error: font resource is not a dictionary
Syntax Error: Couldn't find trailer dictionary
Syntax Error: Invalid XRef entry
Syntax Error (1913): Missing 'endstream' or incorrect stream length
Syntax Warning: Bad color space 'CS1'
Syntax Error (1371): Bad color space (fill)
Syntax Warning: Bad color space 'CS2'
Syntax Error (1415): Bad color space (fill)
Syntax Error (1419): Incorrect number of arguments in 'scn' command
Syntax Error (1436): Too few (1) args to 'l' operator
$
Comment 6 Petr Gajdos 2023-10-17 07:57:21 UTC 
Will submit for 15,12sp2/poppler.
Comment 7 Petr Gajdos 2023-10-17 11:39:06 UTC 
Similar to 1112428 and 112424.

Will submit as poppler-setFlag-invalid-read.patch as I do not think the valgrind error corresponds to this CVE.
Comment 8 Petr Gajdos 2023-10-17 11:39:47 UTC 
Will submit for 15,12sp2/poppler.
Comment 9 Petr Gajdos 2023-10-17 12:11:24 UTC 
Packages submitted.

I believe all fixed.
Comment 11 Maintenance Automation 2023-10-24 16:30:08 UTC 
SUSE-SU-2023:4187-1: An update that solves four vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1112424, 1112428, 1140745, 1214256
CVE References: CVE-2018-18454, CVE-2018-18456, CVE-2019-13287, CVE-2020-36023
Sources used:
openSUSE Leap 15.4 (src): poppler-0.62.0-150000.4.28.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-11-03 16:30:06 UTC 
SUSE-SU-2023:4362-1: An update that solves nine vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1112424, 1112428, 1128114, 1129202, 1140745, 1143570, 1214256, 1214723, 1214726
CVE References: CVE-2018-18454, CVE-2018-18456, CVE-2019-13287, CVE-2019-14292, CVE-2019-9545, CVE-2019-9631, CVE-2020-36023, CVE-2022-37052, CVE-2022-48545
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1
SUSE Linux Enterprise Server 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-qt-0.43.0-16.40.1, poppler-0.43.0-16.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Thomas Leroy 2024-05-06 13:11:06 UTC 
All done, closing.