Menu

#27 podofo 0.9.6 error handle pdf in PoDoFo::PdfVecObjects::Reserve()

SVN TRUNK
closed
bug (2)
2020-05-22
2018-08-23
Krace
No

Description of problem:
In podofo 0.9.6 (the lastest version), there exists a bug in the method PoDoFo::PdfParser::ReadObjects(), which can cause the program to be aborted.
Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted pdf file.

here is the backtrace:

#0  0x00007ffff57d0428 in __GI_raise (sig=sig@entry=0x6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff57d202a in __GI_abort () at abort.c:89
#2  0x00007ffff61124fd in __gnu_cxx::__verbose_terminate_handler ()
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/vterminate.cc:95
#3  0x00007ffff6110566 in __cxxabiv1::__terminate (handler=<optimized out>)
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:47
#4  0x00007ffff61105b1 in std::terminate ()
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_terminate.cc:57
#5  0x00007ffff61107c8 in __cxxabiv1::__cxa_throw (obj=obj@entry=0x85e700,
    tinfo=0x7ffff63f0ac0 <typeinfo for std::length_error>,
    dest=0x7ffff6125240 <std::length_error::~length_error()>)
    at ../../../../gcc-5.3.0/libstdc++-v3/libsupc++/eh_throw.cc:87
#6  0x00007ffff6137e8f in std::__throw_length_error (
    __s=0x5c7ac2 "vector::reserve")
    at ../../../../../gcc-5.3.0/libstdc++-v3/src/c++11/functexcept.cc:86
#7  0x000000000055cc44 in std::vector<PoDoFo::PdfObject*, std::allocator<PoDoFo::PdfObject*> >::reserve(unsigned long) ()
#8  0x000000000055bfdc in PoDoFo::PdfVecObjects::Reserve(unsigned long) ()
#9  0x00000000005546b5 in PoDoFo::PdfParser::ReadObjects() ()
#10 0x0000000000553a02 in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) ()
#11 0x0000000000553329 in PoDoFo::PdfParser::ParseFile(char const*, bool) ()
#12 0x000000000050e297 in PoDoFo::PdfMemDocument::Load(char const*, bool) ()
#13 0x000000000050e0d4 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) ()
#14 0x00000000004afec7 in PdfInfo::PdfInfo(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#15 0x00000000004b4625 in main ()
#16 0x00007ffff57bb830 in __libc_start_main (main=0x4b4460 <main>, argc=0x2,
    argv=0x7fffffffde18, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffde08)
    at ../csu/libc-start.c:291
#17 0x00000000004afd99 in _start ()

Version-Release number of selected component (if applicable):
podofo 0.9.6

How reproducible:
use podofopdfinfo to read crafted pdf files.

Steps to Reproduce:
1.podofopdfinfo podofo0.9.6-poc
2.
3.

1 Attachments

Discussion

  • Matthew Brincke

    Matthew Brincke - 2018-08-25
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -3,7 +3,8 @@
     Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted pdf file.
    
     here is the backtrace:
    -#0  0x00007ffff57d0428 in __GI_raise (sig=sig@entry=0x6)
    +~~~
    +#0  0x00007ffff57d0428 in GI_raise (sig=sig@entry=0x6)
         at ../sysdeps/unix/sysv/linux/raise.c:54
     #1  0x00007ffff57d202a in __GI_abort () at abort.c:89
     #2  0x00007ffff61124fd in __gnu_cxx::__verbose_terminate_handler ()
    @@ -33,6 +34,7 @@
         rtld_fini=<optimized out>, stack_end=0x7fffffffde08)
         at ../csu/libc-start.c:291
     #17 0x00000000004afd99 in _start ()
    +~~~
    
     Version-Release number of selected component (if applicable):
    
     
  • Matthew Brincke

    Matthew Brincke - 2018-08-31
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -1,10 +1,10 @@
     Description of problem:
    -In podofo 0.9.6(the lastest version),there exists an bug in the function PoDoFo::PdfParser::ReadObjects(),which can cause the program to be aborted.
    +In podofo 0.9.6 (the lastest version), there exists a bug in the method PoDoFo::PdfParser::ReadObjects(), which can cause the program to be aborted.
     Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted pdf file.
    
     here is the backtrace:
     ~~~
    -#0  0x00007ffff57d0428 in GI_raise (sig=sig@entry=0x6)
    +#0  0x00007ffff57d0428 in __GI_raise (sig=sig@entry=0x6)
         at ../sysdeps/unix/sysv/linux/raise.c:54
     #1  0x00007ffff57d202a in __GI_abort () at abort.c:89
     #2  0x00007ffff61124fd in __gnu_cxx::__verbose_terminate_handler ()
    @@ -44,6 +44,6 @@
     use podofopdfinfo to read crafted pdf files.
    
     Steps to Reproduce:
    -1.podofopdfinfo poc
    +1.podofopdfinfo podofo0.9.6-poc
     2.
     3.
    
     
  • Matthew Brincke

    Matthew Brincke - 2018-09-06

    This seems to be a duplicate of issue #4 just with the backtrace (and PoC) missing there, so this should be closed (ideally after copying the backtrace and PoC). I haven't copied it because I can't verify right now.

     
  • Matthew Brincke

    Matthew Brincke - 2018-11-27
    • status: open --> pending
    • assigned_to: Matthew Brincke
     
  • Matthew Brincke

    Matthew Brincke - 2018-11-27

    I couldn't reproduce this with the current library code as PdfMemDocument::InitFromParser( PdfParser* ) throws with error code ePdfError_NoObject because it can't find the Catalog ("Root") object. Therefore I set this to pending herewith (I can't prove it's gone, otherwise I'd close).

     
  • Mattia Rizzolo

    Mattia Rizzolo - 2019-02-11

    @krace do you think you could check again with the current trunk and confirm?

    In the meantime, this was given CVE-2018-15889 ...

     
  • Salvatore Bonaccorso

    Krace, any comments on the questions? This would be likely otherwise a duplicate of CVE-2018-5783, which is issue #4 and fixed with https://sourceforge.net/p/podofo/code/1949 .

     
  • Krace

    Krace - 2019-08-09

    I'm sorry to reply so late. I download the podofo from sourceforge,but unfortunately, the code was not patched in PdfVecObjects::Reserve( size_t size ) , so it's duplicate to CVE-2018-5783...

     
    • Matthew Brincke

      Matthew Brincke - 2019-08-10

      How did you download podofo (the PoDoFo project doesn't fix released packages)? With an svn client (if yes, which revision did you download? For HEAD, please tell when) or a web browser (from the "Files" or the "Code" section? If "Code", which revision, please?) I need this info to know if something could still need to be changed.

       
  • Krace

    Krace - 2019-08-09

    I have email to CVE for cancel the CVE-2018-15889, sorry again.

     
  • Salvatore Bonaccorso

    CVE-2018-15889 has been rejected by MITRE.

     
  • zyx

    zyx - 2020-05-22
    • status: pending --> closed
     
  • zyx

    zyx - 2020-05-22

    I'm closing this, due to above comments about duplicate and because when I tested it with r2008, then it did not crash, as expected.