Bug 1900712 (CVE-2020-27778)

Summary: CVE-2020-27778 poppler: pdftohtml: access to uninitialized pointer could lead to DoS
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caillon+fedoraproject, feborges, gnome-sig, mcascell, mclasen, mkasik, rdieter, rhughes, rstrode
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: poppler 0.76.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Poppler in the way certain PDF files were converted into HTML. This flaw allows a remote attacker to provide a malicious PDF file that, when processed by the 'pdftohtml' program, crashes the application, causing a denial of service. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:37:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1900713, 1904080    
Bug Blocks: 1899505    

Description Michael Kaplan 2020-11-23 15:10:40 UTC
In poppler-v0.75.0 in pdftohtml there is a buffer overflow.

Upstream issue:
https://gitlab.freedesktop.org/poppler/poppler/-/issues/742

Upstream fix:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/30c731b487190c02afff3f036736a392eb60cd9a

Comment 3 Michael Kaplan 2020-11-23 15:11:04 UTC
Created poppler tracking bugs for this issue:

Affects: fedora-all [bug 1900713]

Comment 6 Mauro Matteo Cascella 2020-12-03 09:29:45 UTC
This flaw revolves around the usage of the FILE pointer 'page' declared as a member variable of the HtmlOutputDev class. Under some circumstances this pointer is never initialized between the point in time when a HtmlOutputDev object is created and the time the same object is deleted. When the object is deleted, the destructor could use the same uninitialized pointer leading to undefined behavior (most likely a crash of the application).

/* class declaration */
class HtmlOutputDev: public OutputDev {
private:
  FILE *page;
};

/* destructor */
HtmlOutputDev::~HtmlOutputDev() {
  if (page != nullptr) {
    fputs("</body>\n</html>\n", page);   <= access to uninitialized pointer
  }
}

Comment 7 Mauro Matteo Cascella 2020-12-03 09:44:50 UTC
In reply to comment #0:
> Upstream fix:
> https://gitlab.freedesktop.org/poppler/poppler/-/commit/30c731b487190c02afff3f036736a392eb60cd9a

The patch initializes 'page' in the HtmlOutputDev constructor, effectively preventing the destructor from doing damage in case the pointer is never modified during the object's life cycle.

Comment 10 Mauro Matteo Cascella 2020-12-03 14:09:49 UTC
In reply to comment #6:
> This flaw revolves around the usage of the FILE pointer 'page' declared as a
> member variable of the HtmlOutputDev class. Under some circumstances this
> pointer is never initialized between the point in time when a HtmlOutputDev
> object is created and the time the same object is deleted. When the object
> is deleted, the destructor could use the same uninitialized pointer leading
> to undefined behavior (most likely a crash of the application).

Code execution might be possible, depending on the ability of the attacker to control and shape the heap state when the HtmlOutputDev destructor is executed. However, it does seem quite difficult to achieve and RHEL mitigations like ASLR would prevent this flaw from being exploited in any meaningful way.

Comment 12 errata-xmlrpc 2021-05-18 15:49:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1881 https://access.redhat.com/errata/RHSA-2021:1881

Comment 13 Product Security DevOps Team 2021-05-18 20:37:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27778