Bugzilla – Bug 1029856
VUL-0: CVE-2017-6846: podofo: A NULL pointer dereference could lead to denial of service
Last modified: 2018-10-11 08:26:41 UTC
CVE-2017-6846 The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6846 http://seclists.org/oss-sec/2017/q1/600 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6846.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6846 https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/
Antonio - Can you look into this. Thanks.
Created attachment 774210 [details] reproducer
The version from SLE12 is affected by this issue, which hasn't been fixed by upstream yet. ./podofocolor dummy ~/Downloads/00173-podofo-nullptr-GraphicsStack-TGraphicsStackElement-SetNonStrokingColorSpace foo <</DocChecksum/DB32E66F6F34BF1E8F2E9B7E403215D4/ID[<4E9B7DEC390D4421658ED31A3E6687B5><4E9B7DEC390D4421658ED31A3E6687B5>]/Info 13 0 R/Root 12 0 R/Size 14>> Processing page 1... Reading object 3 0 R with type: Number Error: An error 8 ocurred during processing the pdf file PoDoFo encounter an error. Error: 8 ePdfError_InternalLogic Error Description: An internal error occurred. Callstack: #0 Error Source: /home/antonio/ibs/home/alarrosa/branches/SUSE/SLE-12/Update3/podofo/podofo-0.9.2/tools/podofocolor/graphicsstack.cpp:53 Information: Can get current graphicsstate!
My fault. This wasn't actually reproducible in SLE12. The error in #c3 is a regular error being catched correctly, not a NULL dereference as should be expected. I checked also with valgrind which doesn't report any error at all (apart from 8 bytes lost in 1 block and 312 bytes in 6 blocks still reachable).
thanks, adjusted our tracking