Bug 1023070 (CVE-2017-5854)

Summary: VUL-1: CVE-2017-5854: podofo: NULL pointer dereference in PdfOutputStream.cpp
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: alarrosa, matthias.gerstner, meissner, plinnell
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2017-02-01 17:29:48 UTC
Ref: http://seclists.org/oss-sec/2017/q1/265
podofo is a C++ library to work with the PDF file format.

A fuzz on it with the UBSAN discovered a NULL pointer access. The upstream 
project denies me to open a new ticket. So, I’m unable to communicate with 

The complete UBSan output:

# podofopdfinfo $FILE
runtime error: null pointer passed as argument 2, which is declared to never 
be null

Affected version:

Fixed version:

Commit fix:

This bug was discovered by Agostino Sarubbo of Gentoo.



2017-01-05: bug discovered
2017-02-01: blog post about the issue

This bug was found with American Fuzzy Lop.


Agostino Sarubbo
Gentoo Linux Developer


TW: 0.9.4
42.(1|2): 0.9.3
Comment 1 Swamp Workflow Management 2017-02-01 23:03:05 UTC
bugbot adjusting priority
Comment 2 Matthias Gerstner 2017-02-02 11:19:46 UTC
CVE has been assigned: CVE-2017-5854

Comment 4 Matthias Gerstner 2017-02-06 12:58:54 UTC
I've verified that the PoC file does not segfault or yield any valgrind errors
in openSUSE Leap 42.2 or in SUSE:SLE-12:Update codestreams.

The openSUSE:Factory project currently uses version 0.9.4, however, thus you
should make sure that we don't introduce the issue in future versions.

From security side we're not tracking this issue any further.
Comment 6 Antonio Larrosa 2018-06-26 14:30:58 UTC
Reassign to security-team since a patch was submitted to SUSE:SLE-12:Update in isr 167536
Comment 7 Swamp Workflow Management 2018-08-22 19:08:57 UTC
SUSE-SU-2018:2481-1: An update that fixes 16 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5308,CVE-2018-8001
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    podofo-0.9.2-3.3.1
Comment 8 Swamp Workflow Management 2019-01-10 08:00:22 UTC
This is an autogenerated message for OBS integration:
This bug (1023070) was mentioned in
https://build.opensuse.org/request/show/664264 42.3 / podofo
https://build.opensuse.org/request/show/664265 15.0 / podofo
Comment 9 Swamp Workflow Management 2019-01-18 20:11:10 UTC
openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001
Sources used:
openSUSE Leap 42.3 (src):    podofo-0.9.6-10.3.1
Comment 10 Marcus Meissner 2019-10-31 08:08:43 UTC