Bug 1029856 - (CVE-2017-6846) VUL-0: CVE-2017-6846: podofo: A NULL pointer dereference could lead to denial of service
(CVE-2017-6846)
VUL-0: CVE-2017-6846: podofo: A NULL pointer dereference could lead to denial...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Antonio Larrosa
Security Team bot
https://smash.suse.de/issue/181631/
CVSSv3:NVD:CVE-2017-6846:5.5:(AV:L/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-17 10:07 UTC by Victor Pereira
Modified: 2018-10-11 08:26 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
reproducer (7.19 KB, application/pdf)
2018-06-15 12:22 UTC, Antonio Larrosa
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-03-17 10:07:51 UTC
CVE-2017-6846

The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace function in
graphicsstack.h in PoDoFo 0.9.4 allows remote attackers to cause a denial of
service (NULL pointer dereference) via a crafted file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6846
http://seclists.org/oss-sec/2017/q1/600
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6846.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6846
https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/
Comment 1 Scott Reeves 2018-03-13 04:33:54 UTC
Antonio - Can you look into this. Thanks.
Comment 2 Antonio Larrosa 2018-06-15 12:22:33 UTC
Created attachment 774210 [details]
reproducer
Comment 3 Antonio Larrosa 2018-06-15 12:25:52 UTC
The version from SLE12 is affected by this issue, which hasn't been fixed by upstream yet.

./podofocolor dummy ~/Downloads/00173-podofo-nullptr-GraphicsStack-TGraphicsStackElement-SetNonStrokingColorSpace  foo
<</DocChecksum/DB32E66F6F34BF1E8F2E9B7E403215D4/ID[<4E9B7DEC390D4421658ED31A3E6687B5><4E9B7DEC390D4421658ED31A3E6687B5>]/Info 13 0 R/Root 12 0 R/Size 14>>
Processing page      1...
Reading object 3 0 R with type: Number
Error: An error 8 ocurred during processing the pdf file


PoDoFo encounter an error. Error: 8 ePdfError_InternalLogic
        Error Description: An internal error occurred.
        Callstack:
        #0 Error Source: /home/antonio/ibs/home/alarrosa/branches/SUSE/SLE-12/Update3/podofo/podofo-0.9.2/tools/podofocolor/graphicsstack.cpp:53
                Information: Can get current graphicsstate!
Comment 4 Antonio Larrosa 2018-06-26 17:22:12 UTC
My fault. This wasn't actually reproducible in SLE12. The error in #c3 is a regular error being catched correctly, not a NULL dereference as should be expected. I checked also with valgrind which doesn't report any error at all (apart from 8 bytes lost in 1 block and 312 bytes in 6 blocks still reachable).
Comment 5 Johannes Segitz 2018-10-11 08:26:41 UTC
thanks, adjusted our tracking