Bug 1061092 – VUL-0: CVE-2017-14928: poppler: In Poppler 0.59.0, a NULL Pointer Dereference exists inAnnotRichMedia::Configuration::Configuration in Annot.cc via a craftedPDF document.

Bug 1061092 - (CVE-2017-14928) VUL-0: CVE-2017-14928: poppler: In Poppler 0.59.0, a NULL Pointer Dereference exists inAnnotRichMedia::Configuration::Configuration in Annot.cc via a craftedPDF document.

(CVE-2017-14928)
Summary:	VUL-0: CVE-2017-14928: poppler: In Poppler 0.59.0, a NULL Pointer Dereference...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/192666/
Whiteboard:	CVSSv2:SUSE:CVE-2017-14928:7.8:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-09-29 14:28 UTC by Marcus Meissner
Modified:	2020-04-28 14:10 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
mal-Annot-cc-6770-3-16.pdf (2.61 KB, application/octet-stream) 2017-09-29 14:31 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-09-29 14:28:24 UTC

CVE-2017-14928

In Poppler 0.59.0, a NULL Pointer Dereference exists in
AnnotRichMedia::Configuration::Configuration in Annot.cc via a crafted
PDF document.

https://bugs.freedesktop.org/show_bug.cgi?id=102607

A NULL pointer dereference vulnerability was found in poppler Annot.cc AnnotRichMedia::Configuration::Configuration() which may lead to potential Denial of Service attack when handling malicious PDF files:

gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -s ./mal-Annot-cc-6770-3-16.pdf a
Syntax Error: End of file inside dictionary
Syntax Warning: No valid XRef size in trailer
Syntax Error (1884): Dictionary key must be a name object
Syntax Error: Unterminated string
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Segmentation fault

The Configuation() function code is as below:
AnnotRichMedia::Configuration::Configuration(Dict *dict)
{
  Object obj1 = dict->lookup("Instances");
  if (obj1.isArray()) {
    nInstances = obj1.arrayGetLength();

    instances = (Instance **)gmallocn(nInstances, sizeof(Instance *));

    for (int i = 0; i < nInstances; ++i) {
      Object obj2 = obj1.arrayGet(i);
      if (obj2.isDict()) {
        instances[i] = new AnnotRichMedia::Instance(obj2.getDict());
      } else {
        instances[i] = NULL;
      }
    }
  } else {
    instances = NULL;
  }

  obj1 = dict->lookup("Name");
  if (obj1.isString()) {
    name = new GooString(obj1.getString());
  } else {
    name = NULL;
  }

  obj1 = dict->lookup("Subtype");
  if (obj1.isName()) {
    const char *name = obj1.getName();

    if (!strcmp(name, "3D")) {
      type = type3D;
    } else if (!strcmp(name, "Flash")) {
      type = typeFlash;
    } else if (!strcmp(name, "Sound")) {
      type = typeSound;
    } else if (!strcmp(name, "Video")) {
      type = typeVideo;
    } else {
      // determine from first instance
      if (instances && nInstances > 0) {
        AnnotRichMedia::Instance *instance = instances[0];
        switch (instance->getType()) {
          case AnnotRichMedia::Instance::type3D:
            type = type3D;
            break;
          case AnnotRichMedia::Instance::typeFlash:
            type = typeFlash;
            break;
          case AnnotRichMedia::Instance::typeSound:
            type = typeSound;
            break;
          case AnnotRichMedia::Instance::typeVideo:
            type = typeVideo;
            break;
          default:
            type = typeFlash;
            break;
        }
      }
    }
  }
}

From the for() loop we can see that it is possible that instances[i] is set to NULL if a crafted PDF file is being handled, but the following call instance->getType() is not aware of it.

This vulnerability has been reproduced in both the latest stable release 0.59.0 and the latest code in the repository. xpdf also affected.

A pdf file has been attached to help to reproduce this vulnerability.

Comment 1 Marcus Meissner 2017-09-29 14:31:27 UTC

Created attachment 742590 [details]
mal-Annot-cc-6770-3-16.pdf

QA REPRODUCER:

pdftohtml mal-Annot-cc-6770-3-16.pdf

(or evince mal-Annot-cc-6770-3-16.pdf  or okular mal-Annot-cc-6770-3-16.pdf)

should not crash.

Comment 2 Marcus Meissner 2017-09-29 14:34:28 UTC

SLE12 SP2 and later seem affected.

SLE12 SP1 and older seem not affected.

Comment 3 Peter Simons 2017-10-20 12:33:59 UTC

Fix upstream in git commit 1316c7a41f4dd7276f404f775ebb5fef2d24ab1c.

Comment 6 Swamp Workflow Management 2018-06-12 19:26:00 UTC

SUSE-SU-2018:1662-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1045939,1059066,1059101,1059155,1060220,1061092,1061263,1061264,1061265,1064593,1074453
CVE References: CVE-2017-1000456,CVE-2017-14517,CVE-2017-14518,CVE-2017-14520,CVE-2017-14617,CVE-2017-14928,CVE-2017-14975,CVE-2017-14976,CVE-2017-14977,CVE-2017-15565,CVE-2017-9865
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    poppler-0.43.0-16.15.1, poppler-qt-0.43.0-16.15.1
SUSE Linux Enterprise Server 12-SP3 (src):    poppler-0.43.0-16.15.1, poppler-qt-0.43.0-16.15.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    poppler-0.43.0-16.15.1, poppler-qt-0.43.0-16.15.1

Comment 7 Swamp Workflow Management 2018-06-16 13:11:29 UTC

openSUSE-SU-2018:1721-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1045939,1059066,1059101,1059155,1060220,1061092,1061263,1061264,1061265,1064593,1074453
CVE References: CVE-2017-1000456,CVE-2017-14517,CVE-2017-14518,CVE-2017-14520,CVE-2017-14617,CVE-2017-14928,CVE-2017-14975,CVE-2017-14976,CVE-2017-14977,CVE-2017-15565,CVE-2017-9865
Sources used:
openSUSE Leap 42.3 (src):    poppler-0.43.0-8.1, poppler-qt-0.43.0-8.1, poppler-qt5-0.43.0-8.1

Comment 8 Alexandros Toptsoglou 2020-04-28 14:10:27 UTC

Done