Bug 1205486 - (CVE-2022-43295) VUL-0: CVE-2022-43295: poppler: pdftotext crash
(CVE-2022-43295)
VUL-0: CVE-2022-43295: poppler: pdftotext crash
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Peter Simons
Security Team bot
https://smash.suse.de/issue/348118/
CVSSv3.1:SUSE:CVE-2022-43295:5.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-16 13:45 UTC by Alexander Bergmann
Modified: 2022-12-06 17:08 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
abergmann: needinfo? (peter.simons)


Attachments
Reproducer: id_000011,sig_11,src_001031,op_havoc,rep_2 (812 bytes, application/pdf)
2022-11-16 14:04 UTC, Alexander Bergmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-11-16 13:45:55 UTC
CVE-2022-43295

XPDF v4.04 was discovered to contain a stack overflow via the function
FileStream::copy() at xpdf/Stream.cc:795.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43295
https://www.cve.org/CVERecord?id=CVE-2022-43295
https://forum.xpdfreader.com/viewtopic.php?t=42360
Comment 1 Alexander Bergmann 2022-11-16 14:04:12 UTC
Created attachment 862922 [details]
Reproducer: id_000011,sig_11,src_001031,op_havoc,rep_2

So far I was not able to reproduce the issue and to catch a memory leak.

$ valgrind -s --leak-check=full pdftotext reproducer.pdf
...
==25981== 
==25981== HEAP SUMMARY:
==25981==     in use at exit: 2,112 bytes in 19 blocks
==25981==   total heap usage: 6,994 allocs, 6,975 frees, 977,025 bytes allocated
==25981== 
==25981== LEAK SUMMARY:
==25981==    definitely lost: 0 bytes in 0 blocks
==25981==    indirectly lost: 0 bytes in 0 blocks
==25981==      possibly lost: 0 bytes in 0 blocks
==25981==    still reachable: 2,112 bytes in 19 blocks
==25981==         suppressed: 0 bytes in 0 blocks
==25981== Reachable blocks (those to which a pointer was found) are not shown.
==25981== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==25981== 
==25981== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Comment 2 Alexander Bergmann 2022-11-16 14:18:28 UTC
It's a bit unclear if the poppler pdftotext tool is in deed affected. No fix is available yet.