Bugzilla – Bug 1023070
VUL-1: CVE-2017-5854: podofo: NULL pointer dereference in PdfOutputStream.cpp
Last modified: 2019-10-31 08:08:43 UTC
Ref: http://seclists.org/oss-sec/2017/q1/265 =============================================== Description: podofo is a C++ library to work with the PDF file format. A fuzz on it with the UBSAN discovered a NULL pointer access. The upstream project denies me to open a new ticket. So, Iām unable to communicate with them. The complete UBSan output: # podofopdfinfo $FILE /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfOutputStream.cpp:116:33: runtime error: null pointer passed as argument 2, which is declared to never be null Affected version: 0.9.4 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00143-podofo-nullptr-PdfOutputStream Timeline: 2017-01-05: bug discovered 2017-02-01: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp -- Agostino Sarubbo Gentoo Linux Developer =============================================== https://software.opensuse.org/package/podofo TW: 0.9.4 42.(1|2): 0.9.3
bugbot adjusting priority
CVE has been assigned: CVE-2017-5854 http://seclists.org/oss-sec/2017/q1/287
I've verified that the PoC file does not segfault or yield any valgrind errors in openSUSE Leap 42.2 or in SUSE:SLE-12:Update codestreams. The openSUSE:Factory project currently uses version 0.9.4, however, thus you should make sure that we don't introduce the issue in future versions. From security side we're not tracking this issue any further.
Reassign to security-team since a patch was submitted to SUSE:SLE-12:Update in isr 167536
SUSE-SU-2018:2481-1: An update that fixes 16 vulnerabilities is now available. Category: security (moderate) Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075772,1084894 CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5308,CVE-2018-8001 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP3 (src): podofo-0.9.2-3.3.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): podofo-0.9.2-3.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): podofo-0.9.2-3.3.1
This is an autogenerated message for OBS integration: This bug (1023070) was mentioned in https://build.opensuse.org/request/show/664264 42.3 / podofo https://build.opensuse.org/request/show/664265 15.0 / podofo
openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available. Category: security (important) Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894 CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001 Sources used: openSUSE Leap 42.3 (src): podofo-0.9.6-10.3.1
released