Bug 1900712 (CVE-2020-27778)
| Summary: | CVE-2020-27778 poppler: pdftohtml: access to uninitialized pointer could lead to DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | caillon+fedoraproject, feborges, gnome-sig, mcascell, mclasen, mkasik, rdieter, rhughes, rstrode |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | poppler 0.76.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Poppler in the way certain PDF files were converted into HTML. This flaw allows a remote attacker to provide a malicious PDF file that, when processed by the 'pdftohtml' program, crashes the application, causing a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 20:37:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1900713, 1904080 | ||
| Bug Blocks: | 1899505 | ||
|
Description
Michael Kaplan
2020-11-23 15:10:40 UTC
Created poppler tracking bugs for this issue: Affects: fedora-all [bug 1900713] This flaw revolves around the usage of the FILE pointer 'page' declared as a member variable of the HtmlOutputDev class. Under some circumstances this pointer is never initialized between the point in time when a HtmlOutputDev object is created and the time the same object is deleted. When the object is deleted, the destructor could use the same uninitialized pointer leading to undefined behavior (most likely a crash of the application).
/* class declaration */
class HtmlOutputDev: public OutputDev {
private:
FILE *page;
};
/* destructor */
HtmlOutputDev::~HtmlOutputDev() {
if (page != nullptr) {
fputs("</body>\n</html>\n", page); <= access to uninitialized pointer
}
}
In reply to comment #0: > Upstream fix: > https://gitlab.freedesktop.org/poppler/poppler/-/commit/30c731b487190c02afff3f036736a392eb60cd9a The patch initializes 'page' in the HtmlOutputDev constructor, effectively preventing the destructor from doing damage in case the pointer is never modified during the object's life cycle. In reply to comment #6: > This flaw revolves around the usage of the FILE pointer 'page' declared as a > member variable of the HtmlOutputDev class. Under some circumstances this > pointer is never initialized between the point in time when a HtmlOutputDev > object is created and the time the same object is deleted. When the object > is deleted, the destructor could use the same uninitialized pointer leading > to undefined behavior (most likely a crash of the application). Code execution might be possible, depending on the ability of the attacker to control and shape the heap state when the HtmlOutputDev destructor is executed. However, it does seem quite difficult to achieve and RHEL mitigations like ASLR would prevent this flaw from being exploited in any meaningful way. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1881 https://access.redhat.com/errata/RHSA-2021:1881 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27778 |