Bug 1665273 (CVE-2018-20662)
| Summary: | CVE-2018-20662 poppler: SIGABRT PDFDoc::setup class in PDFDoc.cc | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | mkasik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 13:21:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1665274, 1665275, 1677347, 1677348, 1690480 | ||
| Bug Blocks: | 1665262 | ||
|
Description
Laura Pardo
2019-01-10 20:19:04 UTC
Created mingw-poppler tracking bugs for this issue: Affects: fedora-all [bug 1665275] Created poppler tracking bugs for this issue: Affects: fedora-all [bug 1665274] Upstream has reverted the fix because it caused some regressions: https://gitlab.freedesktop.org/poppler/poppler/commit/1e99a1eeb3a144facf45165df9f457796c045daa https://gitlab.freedesktop.org/poppler/poppler/issues/706#note_99000 Red Hat Enterprise 7 has a few valgrind errors, but no abort. ``` ==12199== Memcheck, a memory error detector ==12199== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==12199== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==12199== Command: pdfunite test.pdf sigabrt_Object.h:258_2.pdf out.pdf ==12199== Syntax Error (374): Illegal character <10> in hex string Syntax Error (603): Dictionary key must be a name object Syntax Error (605): Dictionary key must be a name object Syntax Error (611): Dictionary key must be a name object Syntax Error (603): Dictionary key must be a name object Syntax Error (605): Dictionary key must be a name object Syntax Error (611): Dictionary key must be a name object Syntax Error (1014): Dictionary key must be a name object Syntax Error (1016): Dictionary key must be a name object Syntax Error (1018): Dictionary key must be a name object Syntax Error (1018): Dictionary key must be a name object Syntax Error (1020): Dictionary key must be a name object Syntax Error: Page count in top-level pages object is wrong type (null) ==12199== Invalid read of size 4 ==12199== at 0x6341C30: pthread_mutex_lock (pthread_mutex_lock.c:65) ==12199== by 0x4F15D82: UnknownInlinedFun (GooMutex.h:78) ==12199== by 0x4F15D82: Array::decRef() (Array.cc:85) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93e0 is 48 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid read of size 4 ==12199== at 0x633D8C4: __pthread_mutex_lock_full (pthread_mutex_lock.c:176) ==12199== by 0x4F15D82: UnknownInlinedFun (GooMutex.h:78) ==12199== by 0x4F15D82: Array::decRef() (Array.cc:85) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93e0 is 48 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid read of size 4 ==12199== at 0x4F15D83: Array::decRef() (Array.cc:86) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93c8 is 24 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid write of size 4 ==12199== at 0x4F15D8C: Array::decRef() (Array.cc:86) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93c8 is 24 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid read of size 4 ==12199== at 0x6342E10: __pthread_mutex_unlock_usercnt (pthread_mutex_unlock.c:39) ==12199== by 0x6342E10: pthread_mutex_unlock (pthread_mutex_unlock.c:330) ==12199== by 0x4F15D93: UnknownInlinedFun (GooMutex.h:79) ==12199== by 0x4F15D93: Array::decRef() (Array.cc:87) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93e0 is 48 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== Invalid read of size 4 ==12199== at 0x633DDC6: __pthread_mutex_unlock_full (pthread_mutex_unlock.c:101) ==12199== by 0x4F15D93: UnknownInlinedFun (GooMutex.h:79) ==12199== by 0x4F15D93: Array::decRef() (Array.cc:87) ==12199== by 0x4F83EC8: Object::free() (Object.cc:134) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Address 0x7ce93e0 is 48 bytes inside a block of size 72 free'd ==12199== at 0x4C2B16D: operator delete(void*) (vg_replace_malloc.c:576) ==12199== by 0x4F83EE5: Object::free() (Object.cc:135) ==12199== by 0x4F2470C: Dict::~Dict() (Dict.cc:126) ==12199== by 0x4F83F15: Object::free() (Object.cc:140) ==12199== by 0x4FA3CBF: XRef::~XRef() (XRef.cc:392) ==12199== by 0x4F8F83F: PDFDoc::~PDFDoc() (PDFDoc.cc:322) ==12199== by 0x402289: main (pdfunite.cc:196) ==12199== Block was alloc'd at ==12199== at 0x4C2A1E3: operator new(unsigned long) (vg_replace_malloc.c:334) ==12199== by 0x4F83C81: Object::initArray(XRef*) (Object.cc:67) ==12199== by 0x4F8D24C: PDFDoc::replacePageDict(int, int, PDFRectangle*, PDFRectangle*, Object*) (PDFDoc.cc:1507) ==12199== by 0x401BD6: main (pdfunite.cc:119) ==12199== ==12199== ==12199== HEAP SUMMARY: ==12199== in use at exit: 1,034 bytes in 29 blocks ==12199== total heap usage: 7,782 allocs, 7,753 frees, 2,012,194 bytes allocated ==12199== ==12199== LEAK SUMMARY: ==12199== definitely lost: 465 bytes in 16 blocks ==12199== indirectly lost: 512 bytes in 4 blocks ==12199== possibly lost: 0 bytes in 0 blocks ==12199== still reachable: 57 bytes in 9 blocks ==12199== suppressed: 0 bytes in 0 blocks ==12199== Rerun with --leak-check=full to see details of leaked memory ==12199== ==12199== For counts of detected and suppressed errors, rerun with: -v ==12199== ERROR SUMMARY: 6 errors from 6 contexts (suppressed: 0 from 0) ``` This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2022 https://access.redhat.com/errata/RHSA-2019:2022 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-20662 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2713 https://access.redhat.com/errata/RHSA-2019:2713 |