Bug 1146702 - (CVE-2019-15142) VUL-1: CVE-2019-15142: djvulibre: heap-based buffer over-read in the DJVU reader may lead to DOS
(CVE-2019-15142)
VUL-1: CVE-2019-15142: djvulibre: heap-based buffer over-read in the DJVU rea...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/240407/
CVSSv2:NVD:CVE-2019-15142:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-21 16:54 UTC by Alexandros Toptsoglou
Modified: 2019-10-20 08:14 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
POC (2.35 KB, image/vnd.djvu)
2019-08-22 12:08 UTC, Alexandros Toptsoglou
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-08-21 16:54:46 UTC
CVE-2019-15142

In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows attackers
to cause a denial-of-service (application crash in GStringRep::strdup in
libdjvu/GString.cpp caused by a heap-based buffer over-read) by crafting a DJVU
file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-15142
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15142.html
http://www.cvedetails.com/cve/CVE-2019-15142/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15142
https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e/
https://sourceforge.net/p/djvu/bugs/296/
Comment 1 Alexandros Toptsoglou 2019-08-22 12:08:41 UTC
Created attachment 815269 [details]
POC
Comment 2 Alexandros Toptsoglou 2019-08-22 12:11:35 UTC
The fix can be found at [1]. The fix seems applicable to all codestreams. 

To run the POC simply run: 

djvudump $POC

OUTPUT: 

valgrind djvudump c01.djvu 
==26122== Memcheck, a memory error detector
==26122== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==26122== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==26122== Command: djvudump c01.djvu
==26122== 
==26122== Invalid read of size 1
==26122==    at 0x4C31202: strlen (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26122==    by 0x4F32488: DJVU::GStringRep::strdup(char const*) const (GString.cpp:1013)
==26122==    by 0x4F368A6: DJVU::GStringRep::UTF8::create(char const*) (GString.cpp:160)
==26122==    by 0x4F3B2D2: DJVU::GUTF8String::operator=(char const*) (GString.cpp:2622)
==26122==    by 0x4EA537F: DJVU::DjVmDir::decode(DJVU::GP<DJVU::ByteStream> const&) (DjVmDir.cpp:310)
==26122==    by 0x4ED5470: DJVU::display_djvm_dirm(DJVU::ByteStream&, DJVU::IFFByteStream&, DJVU::GUTF8String, unsigned long, DJVU::DjVmInfo&, int) (DjVuDumpHelper.cpp:172)
==26122==    by 0x4ED5EB7: DJVU::display_chunks(DJVU::ByteStream&, DJVU::IFFByteStream&, DJVU::GUTF8String const&, DJVU::DjVmInfo) (DjVuDumpHelper.cpp:335)
==26122==    by 0x4ED61AB: DJVU::display_chunks(DJVU::ByteStream&, DJVU::IFFByteStream&, DJVU::GUTF8String const&, DJVU::DjVmInfo) (DjVuDumpHelper.cpp:342)
==26122==    by 0x4ED666A: DJVU::DjVuDumpHelper::dump(DJVU::GP<DJVU::ByteStream>) (DjVuDumpHelper.cpp:361)
==26122==    by 0x10A531: display(DJVU::GURL const&) (djvudump.cpp:128)
==26122==    by 0x10A122: main (djvudump.cpp:178)
==26122==  Address 0x63604a1 is 0 bytes after a block of size 33 alloc'd
==26122==    at 0x4C2E68F: operator new(unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==26122==    by 0x4F15908: DJVU::GArrayBase::resize(int, int) (GContainer.cpp:220)
==26122==    by 0x4EA52E4: resize (GContainer.h:496)
==26122==    by 0x4EA52E4: DJVU::DjVmDir::decode(DJVU::GP<DJVU::ByteStream> const&) (DjVmDir.cpp:299)
==26122==    by 0x4ED5470: DJVU::display_djvm_dirm(DJVU::ByteStream&, DJVU::IFFByteStream&, DJVU::GUTF8String, unsigned long, DJVU::DjVmInfo&, int) (DjVuDumpHelper.cpp:172)
==26122==    by 0x4ED5EB7: DJVU::display_chunks(DJVU::ByteStream&, DJVU::IFFByteStream&, DJVU::GUTF8String const&, DJVU::DjVmInfo) (DjVuDumpHelper.cpp:335)
==26122==    by 0x4ED61AB: DJVU::display_chunks(DJVU::ByteStream&, DJVU::IFFByteStream&, DJVU::GUTF8String const&, DJVU::DjVmInfo) (DjVuDumpHelper.cpp:342)
==26122==    by 0x4ED666A: DJVU::DjVuDumpHelper::dump(DJVU::GP<DJVU::ByteStream>) (DjVuDumpHelper.cpp:361)
==26122==    by 0x10A531: display(DJVU::GURL const&) (djvudump.cpp:128)
==26122==    by 0x10A122: main (djvudump.cpp:178)




 [1]https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e/
Comment 3 Petr Gajdos 2019-09-02 12:07:04 UTC
BEFORE

see comment 2, similar for all codestreams

PATCH

referenced in comment 0
will take 89d71b01d606e57ecec2c2930c145bb20ba5bbe3 as well

AFTER

devel,15,12,11/djvulibre

$ valgrind  -q djvudump c01.djvu
*** DjVu document is corrupted (DjVmDir)
*** (DjVmDir.cpp:313)
*** 'void DJVU::DjVmDir::decode(const DJVU::GP<DJVU::ByteStream>&)'

$
Comment 4 Petr Gajdos 2019-09-02 12:07:41 UTC
Will submit for devel,15,12,11/djvulibre.
Comment 5 Petr Gajdos 2019-09-02 12:18:48 UTC
I believe all fixed.
Comment 6 Swamp Workflow Management 2019-09-02 12:50:15 UTC
This is an autogenerated message for OBS integration:
This bug (1146702) was mentioned in
https://build.opensuse.org/request/show/727759 Factory / djvulibre
Comment 8 Swamp Workflow Management 2019-09-24 13:21:47 UTC
SUSE-SU-2019:2444-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1146569,1146571,1146572,1146702
CVE References: CVE-2019-15142,CVE-2019-15143,CVE-2019-15144,CVE-2019-15145
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    djvulibre-3.5.25.3-5.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    djvulibre-3.5.25.3-5.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    djvulibre-3.5.25.3-5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-09-24 19:11:47 UTC
SUSE-SU-2019:2452-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1146569,1146571,1146572,1146702
CVE References: CVE-2019-15142,CVE-2019-15143,CVE-2019-15144,CVE-2019-15145
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    djvulibre-3.5.27-3.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    djvulibre-3.5.27-3.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    djvulibre-3.5.27-3.3.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    djvulibre-3.5.27-3.3.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    djvulibre-3.5.27-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-09-30 10:11:47 UTC
openSUSE-SU-2019:2217-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1146569,1146571,1146572,1146702
CVE References: CVE-2019-15142,CVE-2019-15143,CVE-2019-15144,CVE-2019-15145
Sources used:
openSUSE Leap 15.0 (src):    djvulibre-3.5.27-lp150.2.3.1
Comment 11 Swamp Workflow Management 2019-09-30 19:13:32 UTC
openSUSE-SU-2019:2219-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1146569,1146571,1146572,1146702
CVE References: CVE-2019-15142,CVE-2019-15143,CVE-2019-15144,CVE-2019-15145
Sources used:
openSUSE Leap 15.1 (src):    djvulibre-3.5.27-lp151.3.3.1
Comment 12 Marcus Meissner 2019-10-20 08:14:52 UTC
done