Bug 1027778 – VUL-1: CVE-2017-6847: podofo: NULL pointer dereference in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h)

Bug 1027778 - (CVE-2017-6847) VUL-1: CVE-2017-6847: podofo: NULL pointer dereference in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h)

(CVE-2017-6847)
Summary:	VUL-1: CVE-2017-6847: podofo: NULL pointer dereference in PoDoFo::PdfVariant:...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:NVD:CVE-2017-6847:4.3:(AV:N/AC...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-03-02 22:30 UTC by Mikhail Kasimov
Modified:	2019-01-18 20:11 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2017-03-02 22:30:44 UTC

Ref: http://seclists.org/oss-sec/2017/q1/547
=============================================
Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered a null pointer dereference. The upstream project denies me to open a new ticket. So, I just 
will forward this on the -users mailing list.

The complete ASan output:

# podofocolor dummy $FILE foo
==5768==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f6504f1742c bp 0x7fffc41a0df0 sp 
0x7fffc41a0d00 T0)
==5768==The signal is caused by a READ memory access.
==5768==Hint: address points to the zero page.
    #0 0x7f6504f1742b in PoDoFo::PdfVariant::DelayedLoad() const 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfVariant.h:545:10
    #1 0x7f6504f1742b in PoDoFo::PdfVariant::GetArray() 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfVariant.h:795
    #2 0x7f6504f1742b in PoDoFo::PdfXObject::PdfXObject(PoDoFo::PdfObject*) 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfXObject.cpp:264
    #3 0x51ff55 in ColorChanger::start() 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:137:28
    #4 0x51c06d in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/podofocolor.cpp:116:12
    #5 0x7f650358c61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x428718 in _start (/usr/bin/podofocolor+0x428718)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfVariant.h:545:10 in 
PoDoFo::PdfVariant::DelayedLoad() const
==5768==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00174-podofo-nullptr-PoDoFo-PdfVariant-DelayedLoad

Timeline:
2017-02-13: bug discovered
2017-03-02: bug reported to upstream
2017-03-02: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h
=============================================

https://software.opensuse.org/package/podofo

TW: 0.9.4
42.{1,2}: 0.9.3

Comment 1 Swamp Workflow Management 2017-03-02 23:01:41 UTC

bugbot adjusting priority

Comment 3 Antonio Larrosa 2018-06-26 14:32:10 UTC

Reassign to security-team since a patch was submitted to SUSE:SLE-12:Update in isr 167536

Comment 4 Swamp Workflow Management 2018-08-22 19:09:22 UTC

SUSE-SU-2018:2481-1: An update that fixes 16 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5308,CVE-2018-8001
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    podofo-0.9.2-3.3.1

Comment 5 Marcus Meissner 2019-01-09 11:00:14 UTC

done

Comment 6 Swamp Workflow Management 2019-01-10 08:00:39 UTC

This is an autogenerated message for OBS integration:
This bug (1027778) was mentioned in
https://build.opensuse.org/request/show/664264 42.3 / podofo
https://build.opensuse.org/request/show/664265 15.0 / podofo

Comment 7 Swamp Workflow Management 2019-01-18 20:11:39 UTC

openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001
Sources used:
openSUSE Leap 42.3 (src):    podofo-0.9.6-10.3.1