Bugzilla – Bug 1188514
VUL-0: CVE-2021-36978: qpdf: heap-based buffer overflow in Pl_ASCII85Decoder::write
Last modified: 2024-05-10 17:45:40 UTC
CVE-2021-36978 QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer overflow in Pl_ASCII85Decoder::write (called from Pl_AES_PDF::flush and Pl_AES_PDF::finish) when a certain downstream write fails. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36978 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28262 https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qpdf/OSV-2020-2245.yaml http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36978
Thanks for you work on qpdf Petr. Could you also please take a look at this one? :)
poc taken from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28262 However I do not know which command was used. BEFORE TW/qpdf $ valgrind -q qpdf poc - WARNING: poc: can't find PDF header WARNING: poc: file is damaged WARNING: poc (offset 78063): xref not found WARNING: poc: Attempting to reconstruct cross-reference table qpdf: poc (offset 40395): unable to find /Root dictionary $ 12,15/qpdf $ valgrind -q qpdf poc - WARNING: poc: can't find PDF header [..] WARNING: poc (offset 10732): stream will be re-processed without filtering to avoid data loss ==28137== Invalid write of size 1 ==28137== at 0x4E726F3: Pl_ASCII85Decoder::write(unsigned char*, unsigned long) (Pl_ASCII85Decoder.cc:85) ==28137== by 0x4E72294: Pl_AES_PDF::flush(bool) (Pl_AES_PDF.cc:263) ==28137== by 0x4E723BE: Pl_AES_PDF::finish() (Pl_AES_PDF.cc:146) ==28137== by 0x4E7CC90: QPDF::pipeStreamData(int, int, long long, unsigned long, QPDFObjectHandle, Pipeline*, bool, bool) (QPDF.cc:2467) ==28137== by 0x4EBE3EA: pipeStreamData (QPDF.hh:593) ==28137== by 0x4EBE3EA: QPDF_Stream::pipeStreamData(Pipeline*, unsigned long, qpdf_stream_decode_level_e, bool, bool) (QPDF_Stream.cc:630) ==28137== by 0x4E90AC1: QPDFObjectHandle::pipeStreamData(Pipeline*, unsigned long, qpdf_stream_decode_level_e, bool, bool) (QPDFObjectHandle.cc:857) ==28137== by 0x4EABC5C: QPDFWriter::unparseObject(QPDFObjectHandle, int, unsigned int, unsigned long, bool) (QPDFWriter.cc:1647) ==28137== by 0x4EACC24: QPDFWriter::unparseObject(QPDFObjectHandle, int, unsigned int) (QPDFWriter.cc:1310) ==28137== by 0x4EAF2D8: QPDFWriter::writeObject(QPDFObjectHandle, int) (QPDFWriter.cc:1958) ==28137== by 0x4EB2BC9: QPDFWriter::writeStandard() (QPDFWriter.cc:3339) ==28137== by 0x4EB3576: QPDFWriter::write() (QPDFWriter.cc:2507) ==28137== by 0x111ACC: write_outfile(QPDF&, Options&) (qpdf.cc:2380) ==28137== Address 0x6d5a342 is 10 bytes after a block of size 72 alloc'd ==28137== at 0x4C2E68F: operator new(unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==28137== by 0x4EBD6B4: QPDF_Stream::pipeStreamData(Pipeline*, unsigned long, qpdf_stream_decode_level_e, bool, bool) (QPDF_Stream.cc:544) ==28137== by 0x4E90AC1: QPDFObjectHandle::pipeStreamData(Pipeline*, unsigned long, qpdf_stream_decode_level_e, bool, bool) (QPDFObjectHandle.cc:857) ==28137== by 0x4EABC5C: QPDFWriter::unparseObject(QPDFObjectHandle, int, unsigned int, unsigned long, bool) (QPDFWriter.cc:1647) ==28137== by 0x4EACC24: QPDFWriter::unparseObject(QPDFObjectHandle, int, unsigned int) (QPDFWriter.cc:1310) ==28137== by 0x4EAF2D8: QPDFWriter::writeObject(QPDFObjectHandle, int) (QPDFWriter.cc:1958) ==28137== by 0x4EB2BC9: QPDFWriter::writeStandard() (QPDFWriter.cc:3339) ==28137== by 0x4EB3576: QPDFWriter::write() (QPDFWriter.cc:2507) ==28137== by 0x111ACC: write_outfile(QPDF&, Options&) (qpdf.cc:2380) ==28137== by 0x116577: main (qpdf.cc:2462) ==28137== WARNING: poc (offset 10997): error decoding stream data for object 118 0: character out of range during base 85 decode [..] WARNING: poc (offset 26958): stream will be re-processed without filtering to avoid data loss qpdf: operation succeeded with warnings; resulting file may have some problems $ PATCH see comment 0 AFTER 12,15/qpdf valgrind error gone
Submitted for 15,12/qpdf. I believe all fixed.
Thank you very much for you efforts Petr. I believe that SUSE:SLE-15-SP2:Update is also affected (reproduced with ASan)
SUSE-SU-2022:2670-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188514,1201830 CVE References: CVE-2021-36978,CVE-2022-34503 JIRA References: Sources used: openSUSE Leap 15.4 (src): qpdf-8.0.2-150000.3.5.1 openSUSE Leap 15.3 (src): qpdf-8.0.2-150000.3.5.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): qpdf-8.0.2-150000.3.5.1 SUSE Linux Enterprise Server for SAP 15 (src): qpdf-8.0.2-150000.3.5.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): qpdf-8.0.2-150000.3.5.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): qpdf-8.0.2-150000.3.5.1 SUSE Linux Enterprise Server 15-LTSS (src): qpdf-8.0.2-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): qpdf-8.0.2-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): qpdf-8.0.2-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): qpdf-8.0.2-150000.3.5.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): qpdf-8.0.2-150000.3.5.1 SUSE Enterprise Storage 6 (src): qpdf-8.0.2-150000.3.5.1 SUSE CaaS Platform 4.0 (src): qpdf-8.0.2-150000.3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2669-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1188514,1201830 CVE References: CVE-2021-36978,CVE-2022-34503 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): qpdf-7.1.1-3.8.1 SUSE OpenStack Cloud 9 (src): qpdf-7.1.1-3.8.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): qpdf-7.1.1-3.8.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): qpdf-7.1.1-3.8.1 SUSE Linux Enterprise Server 12-SP5 (src): qpdf-7.1.1-3.8.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): qpdf-7.1.1-3.8.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): qpdf-7.1.1-3.8.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): qpdf-7.1.1-3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Package submitted also for 15sp2/qpdf.
SUSE-SU-2022:3248-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1188514 CVE References: CVE-2021-36978 JIRA References: Sources used: openSUSE Leap 15.4 (src): qpdf-9.0.2-150200.3.3.1 openSUSE Leap 15.3 (src): qpdf-9.0.2-150200.3.3.1 SUSE Manager Server 4.1 (src): qpdf-9.0.2-150200.3.3.1 SUSE Manager Retail Branch Server 4.1 (src): qpdf-9.0.2-150200.3.3.1 SUSE Manager Proxy 4.1 (src): qpdf-9.0.2-150200.3.3.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): qpdf-9.0.2-150200.3.3.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): qpdf-9.0.2-150200.3.3.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): qpdf-9.0.2-150200.3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): qpdf-9.0.2-150200.3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): qpdf-9.0.2-150200.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): qpdf-9.0.2-150200.3.3.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): qpdf-9.0.2-150200.3.3.1 SUSE Enterprise Storage 7 (src): qpdf-9.0.2-150200.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.