Bug 1027779 - (CVE-2017-6845) VUL-1: CVE-2017-6845: podofo: NULL pointer dereference in GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace (graphicsstack.h)
(CVE-2017-6845)
VUL-1: CVE-2017-6845: podofo: NULL pointer dereference in GraphicsStack::TGra...
Status: RESOLVED FIXED
: 1027781 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/181149/
CVSSv2:NVD:CVE-2017-6845:4.3:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-02 22:32 UTC by Mikhail Kasimov
Modified: 2019-03-25 15:53 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-03-02 22:32:45 UTC
Ref: http://seclists.org/oss-sec/2017/q1/546
==============================================
Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered a null pointer dereference. The upstream project denies me to open a new ticket. So, I just 
will forward this on the -users mailing list.

The complete ASan output:

# podofocolor dummy $FILE foo
==32192==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000525f24 bp 0x7ffe0a1fdc90 sp 
0x7ffe0a1fdc00 T0)
==32192==The signal is caused by a READ memory access.
==32192==Hint: address points to the zero page.
    #0 0x525f23 in GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace(PoDoFo::EPdfColorSpace) 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/graphicsstack.h:83:38
    #1 0x525f23 in GraphicsStack::SetNonStrokingColorSpace(PoDoFo::EPdfColorSpace) 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/graphicsstack.h:129
    #2 0x525f23 in ColorChanger::ProcessColor(ColorChanger::EKeywordType, int, std::vector<PoDoFo::PdfVariant, 
std::allocator >&, GraphicsStack&) 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:478
    #3 0x521b3c in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:214:31
    #4 0x51ed8e in ColorChanger::start() 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:120:15
    #5 0x51c06d in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/podofocolor.cpp:116:12
    #6 0x7fc21680761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #7 0x428718 in _start (/usr/bin/podofocolor+0x428718)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/graphicsstack.h:83:38 in 
GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace(PoDoFo::EPdfColorSpace)
==32192==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00173-podofo-nullptr-GraphicsStack-TGraphicsStackElement-SetNonStrokingColorSpace

Timeline:
2017-02-13: bug discovered
2017-03-02: bug reported to upstream
2017-03-02: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp
==============================================

https://software.opensuse.org/package/podofo

TW: 0.9.4
42.{1,2}: 0.9.3
Comment 1 Swamp Workflow Management 2017-03-02 23:01:52 UTC
bugbot adjusting priority
Comment 2 Antonio Larrosa 2018-09-19 13:23:41 UTC
Submitted https://build.suse.de/request/show/172442 to fix this for SLE-12
Comment 3 Swamp Workflow Management 2019-01-10 08:00:46 UTC
This is an autogenerated message for OBS integration:
This bug (1027779) was mentioned in
https://build.opensuse.org/request/show/664264 42.3 / podofo
https://build.opensuse.org/request/show/664265 15.0 / podofo
Comment 4 Swamp Workflow Management 2019-01-18 20:11:49 UTC
openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001
Sources used:
openSUSE Leap 42.3 (src):    podofo-0.9.6-10.3.1
Comment 5 Swamp Workflow Management 2019-02-14 17:09:44 UTC
SUSE-SU-2019:0393-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1027779,1032020,1032021,1032022,1075021,1075026,1075322,1075772,1076962,1096889,1096890
CVE References: CVE-2017-6845,CVE-2017-7381,CVE-2017-7382,CVE-2017-7383,CVE-2017-8054,CVE-2018-11256,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-5783
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    podofo-0.9.2-3.6.3
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    podofo-0.9.2-3.6.3
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    podofo-0.9.2-3.6.3
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    podofo-0.9.2-3.6.3
SUSE Linux Enterprise Desktop 12-SP4 (src):    podofo-0.9.2-3.6.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    podofo-0.9.2-3.6.3
Comment 6 Alexandros Toptsoglou 2019-02-28 14:20:21 UTC
*** Bug 1027781 has been marked as a duplicate of this bug. ***
Comment 7 Alexandros Toptsoglou 2019-02-28 16:34:29 UTC
closing