Bug 1023070 - (CVE-2017-5854) VUL-1: CVE-2017-5854: podofo: NULL pointer dereference in PdfOutputStream.cpp
(CVE-2017-5854)
VUL-1: CVE-2017-5854: podofo: NULL pointer dereference in PdfOutputStream.cpp
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-01 17:29 UTC by Mikhail Kasimov
Modified: 2019-10-31 08:08 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-02-01 17:29:48 UTC
Ref: http://seclists.org/oss-sec/2017/q1/265
===============================================
Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it with the UBSAN discovered a NULL pointer access. The upstream 
project denies me to open a new ticket. So, Iā€™m unable to communicate with 
them.

The complete UBSan output:

# podofopdfinfo $FILE
/tmp/portage/app-
text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfOutputStream.cpp:116:33: 
runtime error: null pointer passed as argument 2, which is declared to never 
be null

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00143-podofo-nullptr-PdfOutputStream

Timeline:
2017-01-05: bug discovered
2017-02-01: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp

-- 
Agostino Sarubbo
Gentoo Linux Developer
===============================================


https://software.opensuse.org/package/podofo

TW: 0.9.4
42.(1|2): 0.9.3
Comment 1 Swamp Workflow Management 2017-02-01 23:03:05 UTC
bugbot adjusting priority
Comment 2 Matthias Gerstner 2017-02-02 11:19:46 UTC
CVE has been assigned: CVE-2017-5854

http://seclists.org/oss-sec/2017/q1/287
Comment 4 Matthias Gerstner 2017-02-06 12:58:54 UTC
I've verified that the PoC file does not segfault or yield any valgrind errors
in openSUSE Leap 42.2 or in SUSE:SLE-12:Update codestreams.

The openSUSE:Factory project currently uses version 0.9.4, however, thus you
should make sure that we don't introduce the issue in future versions.

From security side we're not tracking this issue any further.
Comment 6 Antonio Larrosa 2018-06-26 14:30:58 UTC
Reassign to security-team since a patch was submitted to SUSE:SLE-12:Update in isr 167536
Comment 7 Swamp Workflow Management 2018-08-22 19:08:57 UTC
SUSE-SU-2018:2481-1: An update that fixes 16 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5308,CVE-2018-8001
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    podofo-0.9.2-3.3.1
Comment 8 Swamp Workflow Management 2019-01-10 08:00:22 UTC
This is an autogenerated message for OBS integration:
This bug (1023070) was mentioned in
https://build.opensuse.org/request/show/664264 42.3 / podofo
https://build.opensuse.org/request/show/664265 15.0 / podofo
Comment 9 Swamp Workflow Management 2019-01-18 20:11:10 UTC
openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001
Sources used:
openSUSE Leap 42.3 (src):    podofo-0.9.6-10.3.1
Comment 10 Marcus Meissner 2019-10-31 08:08:43 UTC
released