Bug 1029856 (CVE-2017-6846)

Summary: VUL-0: CVE-2017-6846: podofo: A NULL pointer dereference could lead to denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Antonio Larrosa <alarrosa>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, jsegitz, karol, plinnell, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/181631/
Whiteboard: CVSSv3:NVD:CVE-2017-6846:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2017-6846:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: reproducer

Description Victor Pereira 2017-03-17 10:07:51 UTC
CVE-2017-6846

The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in
graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of
service (NULL pointer dereference) via a crafted file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6846
http://seclists.org/oss-sec/2017/q1/600
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6846.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6846
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/
Comment 1 Scott Reeves 2018-03-13 04:33:54 UTC
Antonio - Can you look into this. Thanks.
Comment 2 Antonio Larrosa 2018-06-15 12:22:33 UTC
Created attachment 774210 [details]
reproducer
Comment 3 Antonio Larrosa 2018-06-15 12:25:52 UTC
The version from SLE12 is affected by this issue, which hasn't been fixed by upstream yet.

./podofocolor dummy ~/Downloads/00173-podofo-nullptr-GraphicsStack-TGraphicsStackElement-SetNonStrokingColorSpace  foo
<</DocChecksum/DB32E66F6F34BF1E8F2E9B7E403215D4/ID[<4E9B7DEC390D4421658ED31A3E6687B5><4E9B7DEC390D4421658ED31A3E6687B5>]/Info 13 0 R/Root 12 0 R/Size 14>>
Processing page      1...
Reading object 3 0 R with type: Number
Error: An error 8 ocurred during processing the pdf file


PoDoFo encounter an error. Error: 8 ePdfError_InternalLogic
        Error Description: An internal error occurred.
        Callstack:
        #0 Error Source: /home/antonio/ibs/home/alarrosa/branches/SUSE/SLE-12/Update3/podofo/podofo-0.9.2/tools/podofocolor/graphicsstack.cpp:53
                Information: Can get current graphicsstate!
Comment 4 Antonio Larrosa 2018-06-26 17:22:12 UTC
My fault. This wasn't actually reproducible in SLE12. The error in #c3 is a regular error being catched correctly, not a NULL dereference as should be expected. I checked also with valgrind which doesn't report any error at all (apart from 8 bytes lost in 1 block and 312 bytes in 6 blocks still reachable).
Comment 5 Johannes Segitz 2018-10-11 08:26:41 UTC
thanks, adjusted our tracking