Bugzilla – Bug 1150039
VUL-1: CVE-2019-16115: xpdf: stack-based buffer under-read could be triggered in IdentityFunction:transform in Function.cc, used by GfxAxialShading:getColor
Last modified: 2024-05-06 12:45:13 UTC
CVE-2019-16115 In Xpdf 4.01.01, a stack-based buffer under-read could be triggered in IdentityFunction::transform in Function.cc, used by GfxAxialShading::getColor. It can, for example, be triggered by sending a crafted PDF document to the pdftoppm tool. It allows an attacker to use a crafted PDF file to cause Denial of Service or possibly unspecified other impact. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16115 http://www.cvedetails.com/cve/CVE-2019-16115/ https://forum.xpdfreader.com/viewtopic.php?f=3&t=41872
It seems that only poppler in SLE15, SLE12-SP2 and SLE12 are affected. The POC is reproducible in those codestreams. Running the POC in older poppler versions or xpdf-3 fails. To run the POC simply run the following: valgrind pdftoppm $POC /dev/null OUTPUT: ==25667== Use of uninitialised value of size 8 ==25667== at 0x5005FAC: Splash::pipeRun(SplashPipe*) (Splash.cc:693) ==25667== by 0x50197A3: drawAALine (Splash.cc:1560) ==25667== by 0x50197A3: Splash::shadedFill(SplashPath*, bool, SplashPattern*) (Splash.cc:6451) ==25667== by 0x5004994: SplashOutputDev::univariateShadedFill(GfxState*, SplashUnivariatePattern*, double, double) (SplashOutputDev.cc:4825) ==25667== by 0x5004D77: SplashOutputDev::axialShadedFill(GfxState*, GfxAxialShading*, double, double) (SplashOutputDev.cc:4902) ==25667== by 0x4F5CB79: Gfx::doAxialShFill(GfxAxialShading*) (Gfx.cc:2649) ==25667== by 0x4F62352: Gfx::doShadingPatternFill(GfxShadingPattern*, bool, bool, bool) (Gfx.cc:2364) ==25667== by 0x4F68E79: Gfx::opFill(Object*, int) (Gfx.cc:1813) ==25667== by 0x4F6385E: Gfx::go(bool) (Gfx.cc:737) ==25667== by 0x4F63CAA: Gfx::display(Object*, bool) (Gfx.cc:699) ==25667== by 0x4F640C1: Gfx::drawForm(Object*, Dict*, double*, double*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) (Gfx.cc:4837) ==25667== by 0x4F64786: Gfx::doSoftMask(Object*, bool, GfxColorSpace*, bool, bool, Function*, GfxColor*) (Gfx.cc:1357) ==25667== by 0x4F66029: Gfx::opSetExtGState(Object*, int) (Gfx.cc:1225) ==25667== Uninitialised value was created by a heap allocation ==25667== at 0x4C2E2DF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==25667== by 0x4F0A099: gmalloc (gmem.cc:110) ==25667== by 0x4F0A099: gmallocn (gmem.cc:192) ==25667== by 0x4F0A099: gmallocn (gmem.cc:196) ==25667== by 0x4F7F357: GfxUnivariateShading::setupCache(Matrix const*, double, double, double, double) (GfxState.cc:3982) ==25667== by 0x4FFF4B6: SplashUnivariatePattern::SplashUnivariatePattern(SplashColorMode, GfxState*, GfxUnivariateShading*) (SplashOutputDev.cc:307) ==25667== by 0x4FFF74B: SplashAxialPattern::SplashAxialPattern(SplashColorMode, GfxState*, GfxAxialShading*) (SplashOutputDev.cc:452) ==25667== by 0x5004D5E: SplashOutputDev::axialShadedFill(GfxState*, GfxAxialShading*, double, double) (SplashOutputDev.cc:4901) ==25667== by 0x4F5CB79: Gfx::doAxialShFill(GfxAxialShading*) (Gfx.cc:2649) ==25667== by 0x4F62352: Gfx::doShadingPatternFill(GfxShadingPattern*, bool, bool, bool) (Gfx.cc:2364) ==25667== by 0x4F68E79: Gfx::opFill(Object*, int) (Gfx.cc:1813) ==25667== by 0x4F6385E: Gfx::go(bool) (Gfx.cc:737) ==25667== by 0x4F63CAA: Gfx::display(Object*, bool) (Gfx.cc:699) ==25667== by 0x4F640C1: Gfx::drawForm(Object*, Dict*, double*, double*, bool, bool, GfxColorSpace*, bool, bool, bool, Function*, GfxColor*) (Gfx.cc:4837) ==25667==
Created attachment 817437 [details] POC
I can reproduce with 12,12sp2,15,15sp2/poppler. I do not see the issue in 15sp4,TW/poppler.
(even if the backtrace looks somewhat differently)
Created attachment 868603 [details] Patch file for SLE-15-SP2 This is the patch file for SLE-15-SP2. The issue was well-understood from the Valgrind analysis. We realised it was a memory error, due to memory not having been properly initialised. To mitigate this issue, we call memset() explicitly, initialising the memory block with zeroes. This patch does not come from upstream: instead, later versions of poppler sanitise user inputs better, making this patch moot. But for our supported versions on SLE-12, SLE-12-SP2, SLE-15 and SLE-15-SP2, this patch provides a quick fix without introducing ABI changes.
Affected codestreams and submissions: > SUSE:SLE-15-SP2:Update 0.79.0 https://build.suse.de/request/show/304247 > SUSE:SLE-15:Update 0.62.0 https://build.suse.de/request/show/304250 > SUSE:SLE-12-SP2:Update 0.43.0 https://build.suse.de/request/show/304348 > SUSE:SLE-12:Update 0.24.4 https://build.suse.de/request/show/304350 This sr#304250 has been altered slightly. We found a minor mistake in the poppler.changes file, a Bugzilla bug number had been typo'd. Replaced it with its correct number, bsc#1124150, CVE-2019-7310. Thanks to Pedro Monreal for helping me. Both sr#304350 and sr#304348 have more considerable changes, since the pre_checkin.sh hadn't been executed in a while. This script aims at replicating the changes done on poppler.spec and poppler.changes onto the -qt and -qt5 .spec and .changes files, respectively.
All submitted, assigning back to security team.
SUSE-SU-2023:3241-1: An update that solves two vulnerabilities can now be installed. Category: security (moderate) Bug References: 1124150, 1150039 CVE References: CVE-2019-16115, CVE-2019-7310 Sources used: openSUSE Leap 15.4 (src): poppler-0.62.0-150000.4.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Two new submit requests have been sent, since the original ones were revoked. They contain a cleaner diff. SLE-12-SP2-Update https://build.suse.de/request/show/305143 SLE-12-Update https://build.suse.de/request/show/305142
SUSE-SU-2023:3292-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1150039 CVE References: CVE-2019-16115 Sources used: SUSE Manager Retail Branch Server 4.2 (src): poppler-0.79.0-150200.3.14.1 SUSE Manager Server 4.2 (src): poppler-0.79.0-150200.3.14.1 openSUSE Leap 15.4 (src): poppler-0.79.0-150200.3.14.1 Basesystem Module 15-SP4 (src): poppler-0.79.0-150200.3.14.1 Basesystem Module 15-SP5 (src): poppler-0.79.0-150200.3.14.1 SUSE Manager Proxy 4.2 (src): poppler-0.79.0-150200.3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3303-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1150039 CVE References: CVE-2019-16115 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.24.4-14.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3399-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1150039 CVE References: CVE-2019-16115 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): poppler-0.43.0-16.28.1, poppler-qt-0.43.0-16.28.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): poppler-0.43.0-16.28.1, poppler-qt-0.43.0-16.28.1 SUSE Linux Enterprise Server 12 SP5 (src): poppler-0.43.0-16.28.1, poppler-qt-0.43.0-16.28.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): poppler-0.43.0-16.28.1, poppler-qt-0.43.0-16.28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.