Bug 1045939 - (CVE-2017-9865) VUL-1: CVE-2017-9865: poppler: DoS in function GfxImageColorMap::getGray in GfxState.cc
(CVE-2017-9865)
VUL-1: CVE-2017-9865: poppler: DoS in function GfxImageColorMap::getGray in G...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/187283/
CVSSv3:SUSE:CVE-2017-9865:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-26 09:33 UTC by Alexander Bergmann
Modified: 2020-04-28 14:10 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
reproducer stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf (26.05 KB, application/pdf)
2017-06-26 09:35 UTC, Alexander Bergmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-06-26 09:33:30 UTC
CVE-2017-9865

The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0 allows
remote attackers to cause a denial of service (stack-based buffer over-read and
application crash) via a crafted PDF document, related to missing color-map
validation in ImageOutputDev.cc.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9865
http://www.cvedetails.com/cve/CVE-2017-9865/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9865
https://bugs.freedesktop.org/show_bug.cgi?id=100774
http://somevulnsofadlab.blogspot.com/2017/06/popplerstack-buffer-overflow-in.html
Comment 1 Alexander Bergmann 2017-06-26 09:35:33 UTC
Created attachment 730177 [details]
reproducer stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf
Comment 2 Alexander Bergmann 2017-06-26 09:37:17 UTC
#> valgrind pdfimages stack-buffer-overflow-in-GfxImageColorMap_getGray-1.pdf out
==1068== Memcheck, a memory error detector
==1068== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==1068== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==1068== Command: pdfimages CVE-2017-9865.pdf out
==1068== 
==1068== Use of uninitialised value of size 8
==1068==    at 0x4F6AA2C: GfxImageColorMap::getGray(unsigned char*, int*) (in /usr/lib64/libpoppler.so.60.0.0)
==1068==    by 0x405289: ??? (in /usr/bin/pdfimages)
==1068==    by 0x405B2E: ??? (in /usr/bin/pdfimages)
==1068==    by 0x40601C: ??? (in /usr/bin/pdfimages)
==1068==    by 0x4F54409: Gfx::doImage(Object*, Stream*, bool) (in /usr/lib64/libpoppler.so.60.0.0)
==1068==    by 0x4F556D8: Gfx::opXObject(Object*, int) (in /usr/lib64/libpoppler.so.60.0.0)
==1068==    by 0x4F4F578: Gfx::go(bool) (in /usr/lib64/libpoppler.so.60.0.0)
==1068==    by 0x4F4F98C: Gfx::display(Object*, bool) (in /usr/lib64/libpoppler.so.60.0.0)
==1068==    by 0x4F95217: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib64/libpoppler.so.60.0.0)
==1068==    by 0x4F953F9: Page::display(OutputDev*, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib64/libpoppler.so.60.0.0)
==1068==    by 0x4F9C57C: PDFDoc::displayPages(OutputDev*, int, int, double, double, int, bool, bool, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*) (in /usr/lib64/libpoppler.so.60.0.0)
==1068==    by 0x4045C3: ??? (in /usr/bin/pdfimages)
==1068== 
==1068== 
==1068== HEAP SUMMARY:
==1068==     in use at exit: 87,296 bytes in 48 blocks
==1068==   total heap usage: 11,899 allocs, 11,851 frees, 3,993,058 bytes allocated
==1068== 
==1068== LEAK SUMMARY:
==1068==    definitely lost: 0 bytes in 0 blocks
==1068==    indirectly lost: 0 bytes in 0 blocks
==1068==      possibly lost: 0 bytes in 0 blocks
==1068==    still reachable: 87,296 bytes in 48 blocks
==1068==         suppressed: 0 bytes in 0 blocks
==1068== Rerun with --leak-check=full to see details of leaked memory
==1068== 
==1068== For counts of detected and suppressed errors, rerun with: -v
==1068== Use --track-origins=yes to see where uninitialised values come from
==1068== ERROR SUMMARY: 14 errors from 1 contexts (suppressed: 0 from 0)
Comment 8 Swamp Workflow Management 2018-06-12 19:18:46 UTC
SUSE-SU-2018:1662-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1045939,1059066,1059101,1059155,1060220,1061092,1061263,1061264,1061265,1064593,1074453
CVE References: CVE-2017-1000456,CVE-2017-14517,CVE-2017-14518,CVE-2017-14520,CVE-2017-14617,CVE-2017-14928,CVE-2017-14975,CVE-2017-14976,CVE-2017-14977,CVE-2017-15565,CVE-2017-9865
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    poppler-0.43.0-16.15.1, poppler-qt-0.43.0-16.15.1
SUSE Linux Enterprise Server 12-SP3 (src):    poppler-0.43.0-16.15.1, poppler-qt-0.43.0-16.15.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    poppler-0.43.0-16.15.1, poppler-qt-0.43.0-16.15.1
Comment 9 Swamp Workflow Management 2018-06-16 13:10:37 UTC
openSUSE-SU-2018:1721-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1045939,1059066,1059101,1059155,1060220,1061092,1061263,1061264,1061265,1064593,1074453
CVE References: CVE-2017-1000456,CVE-2017-14517,CVE-2017-14518,CVE-2017-14520,CVE-2017-14617,CVE-2017-14928,CVE-2017-14975,CVE-2017-14976,CVE-2017-14977,CVE-2017-15565,CVE-2017-9865
Sources used:
openSUSE Leap 42.3 (src):    poppler-0.43.0-8.1, poppler-qt-0.43.0-8.1, poppler-qt5-0.43.0-8.1
Comment 10 Alexandros Toptsoglou 2020-04-28 14:10:44 UTC
Done