This repository was archived by the owner on Feb 7, 2024. It is now read-only.
This repository was archived by the owner on Feb 7, 2024. It is now read-only.
Roundup: [oss-security] podofo: global buffer overflow in PoDoFo::PdfParser::ReadXRefSubsection (PdfParser.cpp) #86
Description
Here is a report from the oss-security mailing list for Vulnerability Roundup 27.
Instructions:
Identification
Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
fixed:
release-16.09: abc123
Upon Completion ...
- Update Graham's database
Info
Triage Indicator:
-needs-triage +roundup27 thread:0000000000003f5d
- File Search: https://search.nix.gsc.io/?q=podofo&i=fosho&repos=nixos-nixpkgs
- GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=podofo+in%3Apath&type=Code
Should the search term be changed from podofo? Suggest a new package search by commenting:
-suggested:podofo +suggested:correctPackageName thread:0000000000003f5d
Known CVEs: CVE-2017-6844
Thu, 2 Mar 2017 16:35:17 +0000 "Agostino Sarubbo" <ago-at-gentoo.org>, 847337.788527028-sendEmail@localhost
Description:
podofo is a C++ library to work with the PDF file format.
A fuzz on it discovered a global overflow. The upstream project denies me to open a new ticket. So, I just will forward this on the -users mailing list.
The complete ASan output:
# podofocolor dummy $FILE foo
==15599==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000014a5838 at pc 0x0000004ca58c bp 0x7ffebe3248b0 sp 0x7ffebe324060
WRITE of size 24 at 0x0000014a5838 thread T0
#0 0x4ca58b in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
#1 0x7efe75862464 in void std::_Construct(PoDoFo::PdfParser::TXRefEntry*, PoDoFo::PdfParser::TXRefEntry const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_construct.h:83:38
#2 0x7efe75862464 in void std::__uninitialized_fill_n::__uninit_fill_n(PoDoFo::PdfParser::TXRefEntry*, unsigned long, PoDoFo::PdfParser::TXRefEntry const&)
/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_uninitialized.h:202
#3 0x7efe75862464 in void std::uninitialized_fill_n(PoDoFo::PdfParser::TXRefEntry*, unsigned long, PoDoFo::PdfParser::TXRefEntry const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_uninitialized.h:244
#4 0x7efe75862464 in void std::__uninitialized_fill_n_a(PoDoFo::PdfParser::TXRefEntry*, unsigned long, PoDoFo::PdfParser::TXRefEntry const&, std::allocator&)
/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_uninitialized.h:355
#5 0x7efe75862464 in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator >::_M_fill_insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*, std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator > >,
unsigned long, PoDoFo::PdfParser::TXRefEntry const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/vector.tcc:496
#6 0x7efe75855a47 in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator >::insert(__gnu_cxx::__normal_iterator<PoDoFo::PdfParser::TXRefEntry*, std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator > >, unsigned
long, PoDoFo::PdfParser::TXRefEntry const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_vector.h:1073:9
#7 0x7efe75855a47 in std::vector<PoDoFo::PdfParser::TXRefEntry, std::allocator >::resize(unsigned long, PoDoFo::PdfParser::TXRefEntry) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_vector.h:716
#8 0x7efe75855a47 in PoDoFo::PdfParser::ReadXRefSubsection(long&, long&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:772
#9 0x7efe758470ad in PoDoFo::PdfParser::ReadXRefContents(long, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:725:17
#10 0x7efe75840a9e in PoDoFo::PdfParser::ReadDocumentStructure() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:337:9
#11 0x7efe7583de0f in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:220:9
#12 0x7efe7583c1d4 in PoDoFo::PdfParser::ParseFile(char const*, bool) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/base/PdfParser.cpp:164:11
#13 0x7efe75a993f3 in PoDoFo::PdfMemDocument::Load(char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:186:16
#14 0x7efe75a990c2 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfMemDocument.cpp:88:11
#15 0x51e96d in ColorChanger::start() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:110:20
#16 0x51c06d in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/podofocolor.cpp:116:12
#17 0x7efe7424861f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
#18 0x428718 in _start (/usr/bin/podofocolor+0x428718)
0x0000014a5838 is located 0 bytes to the right of global variable 'PoDoFo::PODOFO_BUILTIN_FONTS' defined in '/tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/src/doc/PdfFontFactoryBase14Data.h:4460:33' (0x14a4aa0) of size
3480
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 in __asan_memcpy
Shadow bytes around the buggy address:
0x00008028cab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008028cac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008028cad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008028cae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008028caf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008028cb00: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9
0x00008028cb10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x00008028cb20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x00008028cb30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x00008028cb40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x00008028cb50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15599==ABORTING
Affected version:
0.9.4
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00171-podofo-globaloverflow-PoDoFo-PdfParser-ReadXRefSubsection
Timeline:
2017-02-13: bug discovered
2017-03-02: bug reported to upstream
2017-03-02: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink:
https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp
--
Agostino Sarubbo
Gentoo Linux Developer
Mon, 13 Mar 2017 11:08:20 +0100 Agostino Sarubbo <ago-at-gentoo.org>, 1507101.nareQZ76ga@blackgate
On Thursday 02 March 2017 16:35:17 Agostino Sarubbo
wrote:
> Permalink:
> https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-pod
> ofopdfparserreadxrefsubsection-pdfparser-cpp
This is CVE-2017-6844
--
Agostino Sarubbo
Gentoo Linux Developer