Bug 1665266 (CVE-2018-20481)

Summary: CVE-2018-20481 poppler: NULL pointer dereference in the XRef::getEntry in XRef.cc
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mkasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:21:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1665268, 1665269, 1677057, 1677058, 1717790    
Bug Blocks: 1665262    

Description Laura Pardo 2019-01-10 20:14:44 UTC 
A flaw was found in Poppler 0.72.0. A NULL pointer dereference in the XRef::getEntry class in XRef.cc file due to the mishandle of unallocated XRef entries. This allows remote attackers to cause a denial of service via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc.


References:
https://gitlab.freedesktop.org/poppler/poppler/issues/692

Upstream Patch:
https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143
Comment 1 Laura Pardo 2019-01-10 20:14:58 UTC 
Created mingw-poppler tracking bugs for this issue:

Affects: fedora-all [bug 1665269]


Created poppler tracking bugs for this issue:

Affects: fedora-all [bug 1665268]
Comment 2 Scott Gayou 2019-02-13 21:49:49 UTC 
Looks like it will only segfault on 32-bit systems. However, we still get a Valgrind error and ASAN termination on 64bit.

```
Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error (14081): Illegal character '}'
Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error: Invalid XRef entry
Syntax Error (22675): Missing 'endstream' or incorrect stream length
=================================================================
==12093== ERROR: AddressSanitizer: heap-use-after-free on address 0x609600000488 at pc 0x7f52d7b4716c bp 0x7ffe2a4635b0 sp 0x7ffe2a4635a0
READ of size 4 at 0x609600000488 thread T0
    #0 0x7f52d7b4716b in XRefEntry::setFlag(XRefEntry::Flag, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/XRef.h:91
    #2 0x7f52d7b46832 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:297
    #4 0x7f52d7b45a0d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:131 (discriminator 1)
    #6 0x7f52d7b455ba in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:96
    #8 0x7f52d7b4589e in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:121
```
Comment 3 Scott Gayou 2019-02-13 22:02:35 UTC 
Example of the same run in valgrind instead:

Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error (14081): Illegal character '}'
Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error: Invalid XRef entry
Syntax Error (22675): Missing 'endstream' or incorrect stream length
==12167== Invalid read of size 4
==12167==    at 0x4F8A295: setFlag (XRef.h:91)
==12167==    by 0x4F8A295: Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:297)
==12167==    by 0x4F8A8F7: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:131)
==12167==    by 0x4F8A5A2: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:96)
==12167==    by 0x4F8A9D4: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:121)
==12167==    by 0x4FA6965: XRef::fetch(int, int, Object*, int) (XRef.cc:1199)
==12167==    by 0x4F18C2A: dictLookup (Object.h:320)
==12167==    by 0x4F18C2A: Catalog::getNumPages() (Catalog.cc:809)
==12167==    by 0x4018EE: main (pdfdetach.cc:163)
Comment 7 errata-xmlrpc 2019-08-06 12:02:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2022 https://access.redhat.com/errata/RHSA-2019:2022
Comment 8 Product Security DevOps Team 2019-08-06 13:21:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20481
Comment 9 errata-xmlrpc 2019-09-11 09:33:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2713 https://access.redhat.com/errata/RHSA-2019:2713