Bug 1061092 - (CVE-2017-14928) VUL-0: CVE-2017-14928: poppler: In Poppler 0.59.0, a NULL Pointer Dereference exists inAnnotRichMedia::Configuration::Configuration in Annot.cc via a craftedPDF document.
(CVE-2017-14928)
VUL-0: CVE-2017-14928: poppler: In Poppler 0.59.0, a NULL Pointer Dereference...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/192666/
CVSSv2:SUSE:CVE-2017-14928:7.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-29 14:28 UTC by Marcus Meissner
Modified: 2020-04-28 14:10 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
mal-Annot-cc-6770-3-16.pdf (2.61 KB, application/octet-stream)
2017-09-29 14:31 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-09-29 14:28:24 UTC
CVE-2017-14928

In Poppler 0.59.0, a NULL Pointer Dereference exists in
AnnotRichMedia::Configuration::Configuration in Annot.cc via a crafted
PDF document.

https://bugs.freedesktop.org/show_bug.cgi?id=102607

A NULL pointer dereference vulnerability was found in poppler Annot.cc AnnotRichMedia::Configuration::Configuration() which may lead to potential Denial of Service attack when handling malicious PDF files:

gzq@ubuntu:~/work/vul/poppler$ /home/gzq/install/poppler-dev/bin/pdftohtml -s ./mal-Annot-cc-6770-3-16.pdf a
Syntax Error: End of file inside dictionary
Syntax Warning: No valid XRef size in trailer
Syntax Error (1884): Dictionary key must be a name object
Syntax Error: Unterminated string
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Syntax Error: End of file inside array
Syntax Error: End of file inside dictionary
Segmentation fault

The Configuation() function code is as below:
AnnotRichMedia::Configuration::Configuration(Dict *dict)
{
  Object obj1 = dict->lookup("Instances");
  if (obj1.isArray()) {
    nInstances = obj1.arrayGetLength();

    instances = (Instance **)gmallocn(nInstances, sizeof(Instance *));

    for (int i = 0; i < nInstances; ++i) {
      Object obj2 = obj1.arrayGet(i);
      if (obj2.isDict()) {
        instances[i] = new AnnotRichMedia::Instance(obj2.getDict());
      } else {
        instances[i] = NULL;
      }
    }
  } else {
    instances = NULL;
  }

  obj1 = dict->lookup("Name");
  if (obj1.isString()) {
    name = new GooString(obj1.getString());
  } else {
    name = NULL;
  }

  obj1 = dict->lookup("Subtype");
  if (obj1.isName()) {
    const char *name = obj1.getName();

    if (!strcmp(name, "3D")) {
      type = type3D;
    } else if (!strcmp(name, "Flash")) {
      type = typeFlash;
    } else if (!strcmp(name, "Sound")) {
      type = typeSound;
    } else if (!strcmp(name, "Video")) {
      type = typeVideo;
    } else {
      // determine from first instance
      if (instances && nInstances > 0) {
        AnnotRichMedia::Instance *instance = instances[0];
        switch (instance->getType()) {
          case AnnotRichMedia::Instance::type3D:
            type = type3D;
            break;
          case AnnotRichMedia::Instance::typeFlash:
            type = typeFlash;
            break;
          case AnnotRichMedia::Instance::typeSound:
            type = typeSound;
            break;
          case AnnotRichMedia::Instance::typeVideo:
            type = typeVideo;
            break;
          default:
            type = typeFlash;
            break;
        }
      }
    }
  }
}

From the for() loop we can see that it is possible that instances[i] is set to NULL if a crafted PDF file is being handled, but the following call instance->getType() is not aware of it.

This vulnerability has been reproduced in both the latest stable release 0.59.0 and the latest code in the repository. xpdf also affected.

A pdf file has been attached to help to reproduce this vulnerability.
Comment 1 Marcus Meissner 2017-09-29 14:31:27 UTC
Created attachment 742590 [details]
mal-Annot-cc-6770-3-16.pdf

QA REPRODUCER:

pdftohtml mal-Annot-cc-6770-3-16.pdf

(or evince mal-Annot-cc-6770-3-16.pdf  or okular mal-Annot-cc-6770-3-16.pdf)

should not crash.
Comment 2 Marcus Meissner 2017-09-29 14:34:28 UTC
SLE12 SP2 and later seem affected.

SLE12 SP1 and older seem not affected.
Comment 3 Peter Simons 2017-10-20 12:33:59 UTC
Fix upstream in git commit 1316c7a41f4dd7276f404f775ebb5fef2d24ab1c.
Comment 6 Swamp Workflow Management 2018-06-12 19:26:00 UTC
SUSE-SU-2018:1662-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1045939,1059066,1059101,1059155,1060220,1061092,1061263,1061264,1061265,1064593,1074453
CVE References: CVE-2017-1000456,CVE-2017-14517,CVE-2017-14518,CVE-2017-14520,CVE-2017-14617,CVE-2017-14928,CVE-2017-14975,CVE-2017-14976,CVE-2017-14977,CVE-2017-15565,CVE-2017-9865
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    poppler-0.43.0-16.15.1, poppler-qt-0.43.0-16.15.1
SUSE Linux Enterprise Server 12-SP3 (src):    poppler-0.43.0-16.15.1, poppler-qt-0.43.0-16.15.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    poppler-0.43.0-16.15.1, poppler-qt-0.43.0-16.15.1
Comment 7 Swamp Workflow Management 2018-06-16 13:11:29 UTC
openSUSE-SU-2018:1721-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1045939,1059066,1059101,1059155,1060220,1061092,1061263,1061264,1061265,1064593,1074453
CVE References: CVE-2017-1000456,CVE-2017-14517,CVE-2017-14518,CVE-2017-14520,CVE-2017-14617,CVE-2017-14928,CVE-2017-14975,CVE-2017-14976,CVE-2017-14977,CVE-2017-15565,CVE-2017-9865
Sources used:
openSUSE Leap 42.3 (src):    poppler-0.43.0-8.1, poppler-qt-0.43.0-8.1, poppler-qt5-0.43.0-8.1
Comment 8 Alexandros Toptsoglou 2020-04-28 14:10:27 UTC
Done