Bug 1205486 - (CVE-2022-43295) VUL-0: CVE-2022-43295: xpdf: pdftotext crash
VUL-0: CVE-2022-43295: xpdf: pdftotext crash
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-11-16 13:45 UTC by Alexander Bergmann
Modified: 2023-02-20 12:58 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Reproducer: id_000011,sig_11,src_001031,op_havoc,rep_2 (812 bytes, application/pdf)
2022-11-16 14:04 UTC, Alexander Bergmann

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-11-16 13:45:55 UTC

XPDF v4.04 was discovered to contain a stack overflow via the function
FileStream::copy() at xpdf/Stream.cc:795.

Comment 1 Alexander Bergmann 2022-11-16 14:04:12 UTC
Created attachment 862922 [details]
Reproducer: id_000011,sig_11,src_001031,op_havoc,rep_2

So far I was not able to reproduce the issue and to catch a memory leak.

$ valgrind -s --leak-check=full pdftotext reproducer.pdf
==25981== HEAP SUMMARY:
==25981==     in use at exit: 2,112 bytes in 19 blocks
==25981==   total heap usage: 6,994 allocs, 6,975 frees, 977,025 bytes allocated
==25981== LEAK SUMMARY:
==25981==    definitely lost: 0 bytes in 0 blocks
==25981==    indirectly lost: 0 bytes in 0 blocks
==25981==      possibly lost: 0 bytes in 0 blocks
==25981==    still reachable: 2,112 bytes in 19 blocks
==25981==         suppressed: 0 bytes in 0 blocks
==25981== Reachable blocks (those to which a pointer was found) are not shown.
==25981== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==25981== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Comment 2 Alexander Bergmann 2022-11-16 14:18:28 UTC
It's a bit unclear if the poppler pdftotext tool is in deed affected. No fix is available yet.
Comment 4 Peter Simons 2023-02-20 12:10:43 UTC
Upstream does not intend to fix this issue with a patch but rather with a general re-write of xpdf:

> That's a loop in the PDF object structure.
> I'm working on a more robust loop detector for Xpdf 5.
Comment 5 Peter Simons 2023-02-20 12:25:35 UTC
I cannot reproduce the exploit. When given the crafted PDF file, pdftotext from poppler aborts with an error. There is no crash and no segmentation fault. This bug appears to affect only xpdf -- which we don't ship. I think this can be closed.