Bug 1023070 (CVE-2017-5854)

Summary: VUL-1: CVE-2017-5854: podofo: NULL pointer dereference in PdfOutputStream.cpp
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: alarrosa, matthias.gerstner, meissner, plinnell
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2017-02-01 17:29:48 UTC 
Ref: http://seclists.org/oss-sec/2017/q1/265
===============================================
Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it with the UBSAN discovered a NULL pointer access. The upstream 
project denies me to open a new ticket. So, I’m unable to communicate with 
them.

The complete UBSan output:

# podofopdfinfo $FILE
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfOutputStream.cpp:116:33: 
runtime error: null pointer passed as argument 2, which is declared to never 
be null

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00143-podofo-nullptr-PdfOutputStream

Timeline:
2017-01-05: bug discovered
2017-02-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp

-- 
Agostino Sarubbo
Gentoo Linux Developer
===============================================


https://software.opensuse.org/package/podofo

TW: 0.9.4
42.(1|2): 0.9.3
Comment 1 Swamp Workflow Management 2017-02-01 23:03:05 UTC 
bugbot adjusting priority
Comment 2 Matthias Gerstner 2017-02-02 11:19:46 UTC 
CVE has been assigned: CVE-2017-5854

http://seclists.org/oss-sec/2017/q1/287
Comment 4 Matthias Gerstner 2017-02-06 12:58:54 UTC 
I've verified that the PoC file does not segfault or yield any valgrind errors
in openSUSE Leap 42.2 or in SUSE:SLE-12:Update codestreams.

The openSUSE:Factory project currently uses version 0.9.4, however, thus you
should make sure that we don't introduce the issue in future versions.

From security side we're not tracking this issue any further.
Comment 6 Antonio Larrosa 2018-06-26 14:30:58 UTC 
Reassign to security-team since a patch was submitted to SUSE:SLE-12:Update in isr 167536
Comment 7 Swamp Workflow Management 2018-08-22 19:08:57 UTC 
SUSE-SU-2018:2481-1: An update that fixes 16 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5308,CVE-2018-8001
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    podofo-0.9.2-3.3.1
Comment 8 Swamp Workflow Management 2019-01-10 08:00:22 UTC 
This is an autogenerated message for OBS integration:
This bug (1023070) was mentioned in
https://build.opensuse.org/request/show/664264 42.3 / podofo
https://build.opensuse.org/request/show/664265 15.0 / podofo
Comment 9 Swamp Workflow Management 2019-01-18 20:11:10 UTC 
openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001
Sources used:
openSUSE Leap 42.3 (src):    podofo-0.9.6-10.3.1
Comment 10 Marcus Meissner 2019-10-31 08:08:43 UTC 
released