Bug 1595693
| Summary: | one stack-based buffer overflow in PdfEncryptMD5Base::ComputeEncryptionKey() in PdfEncrypt.cpp | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | rookie <92wyunchao> | ||||
| Component: | podofo | Assignee: | Dan HorĂ¡k <dan> | ||||
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | epel7 | CC: | 92wyunchao, dan, manisandro | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
==40052==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff874eab00 at pc 0x7fc298864935 bp 0x7fff874ea950 sp 0x7fff874ea0f8
READ of size 116 at 0x7fff874eab00 thread T0
#0 0x7fc298864934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x591af9 in PoDoFo::PdfEncryptMD5Base::ComputeEncryptionKey(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned char*, unsigned char*, int, int, int, unsigned char*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfEncrypt.cpp:867
#2 0x595250 in PoDoFo::PdfEncryptRC4::Authenticate(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, PoDoFo::PdfString const&) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfEncrypt.cpp:1115
#3 0x5b3d37 in PoDoFo::PdfParser::ReadObjects() /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:1044
#4 0x5ad52a in PoDoFo::PdfParser::ParseFile(PoDoFo::PdfRefCountedInputDevice const&, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:220
#5 0x5ad108 in PoDoFo::PdfParser::ParseFile(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/base/PdfParser.cpp:166
#6 0x55791b in PoDoFo::PdfMemDocument::Load(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:256
#7 0x5567b5 in PoDoFo::PdfMemDocument::PdfMemDocument(char const*, bool) /home/s2e/1/podofo-0.9.6-rc1/src/doc/PdfMemDocument.cpp:102
#8 0x4c6afa in ColorChanger::start() /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/colorchanger.cpp:110
#9 0x4c5a85 in main /home/s2e/1/podofo-0.9.6-rc1/tools/podofocolor/podofocolor.cpp:116
#10 0x7fc296e2582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x4c5508 in _start (/home/s2e/1/podofo-0.9.6-rc1/build/tools/podofocolor/podofocolor+0x4c5508)
|
Created attachment 1455024 [details] poc file to reproduce the crash Description of problem: There exists one stack-based buffer overflow in PdfEncryptMD5Base::ComputeEncryptionKey() in PdfEncrypt.cpp in PoDoFo 0.9.6-rc1(the latest stable version). Remote attackers could leverage the two vulnerabilities to cause a denial-of-service or potentially remote code execution via a crafted pdf file. Version-Release number of selected component (if applicable): PoDoFo 0.9.6-rc1(also including PoDoFo 0.9.5) How reproducible: use podofocolor to read crafted pdf files. Steps to Reproduce: 1.podofocolor dummy $pocfile foo 2. 3. Actual results: Expected results: Additional info: