Bug 1037739 - (CVE-2017-8787) VUL-1: CVE-2017-8787: podofo: The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function inbase/PdfXRefStreamParserObjec...
(CVE-2017-8787)
VUL-1: CVE-2017-8787: podofo: The PoDoFo::PdfXRefStreamParserObject::ReadXRef...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/184821/
CVSSv2:SUSE:CVE-2017-8787:4.4:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-05 08:30 UTC by Alexander Bergmann
Modified: 2019-10-31 08:18 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer: heap-overflow-ReadXRefStreamEntry (1.24 KB, application/pdf)
2017-05-05 11:10 UTC, Alexander Bergmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-05-05 08:30:51 UTC
CVE-2017-8787

The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function in
base/PdfXRefStreamParserObject.cpp:224 in PoDoFo 0.9.5 allows remote
attackers to cause a denial of service (heap-based buffer over-read) or
possibly have unspecified other impact via a crafted PDF file.

Debian Bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861738

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8787
Comment 1 Alexander Bergmann 2017-05-05 11:10:36 UTC
Created attachment 723955 [details]
Reproducer: heap-overflow-ReadXRefStreamEntry

This reproducer can be used to trigger the described problem. As the AddressSanitizer is not enabled during podofo build time, we need to validate the issue with the help of valgrind.

#> valgrind podofopdfinfo heap-overflow-ReadXRefStreamEntry

The podofopdfinfo tool is part of the podofo rpm that is not distributed via the update channel. It is however available inside the related build service project.
Comment 3 Antonio Larrosa 2018-06-26 14:34:06 UTC
Reassign to security-team since a patch was submitted to SUSE:SLE-12:Update in isr 167536
Comment 4 Swamp Workflow Management 2018-08-22 19:10:26 UTC
SUSE-SU-2018:2481-1: An update that fixes 16 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5308,CVE-2018-8001
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    podofo-0.9.2-3.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    podofo-0.9.2-3.3.1
Comment 5 Swamp Workflow Management 2019-01-10 08:01:28 UTC
This is an autogenerated message for OBS integration:
This bug (1037739) was mentioned in
https://build.opensuse.org/request/show/664264 42.3 / podofo
https://build.opensuse.org/request/show/664265 15.0 / podofo
Comment 6 Swamp Workflow Management 2019-01-18 20:12:56 UTC
openSUSE-SU-2019:0066-1: An update that fixes 20 vulnerabilities is now available.

Category: security (important)
Bug References: 1023067,1023069,1023070,1023071,1023380,1027778,1027779,1027782,1027787,1032017,1032018,1032019,1035534,1035596,1037739,1075021,1075026,1075322,1075772,1084894
CVE References: CVE-2017-5852,CVE-2017-5853,CVE-2017-5854,CVE-2017-5855,CVE-2017-5886,CVE-2017-6840,CVE-2017-6844,CVE-2017-6845,CVE-2017-6847,CVE-2017-7378,CVE-2017-7379,CVE-2017-7380,CVE-2017-7994,CVE-2017-8054,CVE-2017-8787,CVE-2018-5295,CVE-2018-5296,CVE-2018-5308,CVE-2018-5309,CVE-2018-8001
Sources used:
openSUSE Leap 42.3 (src):    podofo-0.9.6-10.3.1
Comment 7 Marcus Meissner 2019-10-31 08:18:51 UTC
released