Bug 1665266 (CVE-2018-20481) - CVE-2018-20481 poppler: NULL pointer dereference in the XRef::getEntry in XRef.cc
Summary: CVE-2018-20481 poppler: NULL pointer dereference in the XRef::getEntry in XRe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20481
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1677057 1665268 1665269 1677058 1717790
Blocks: 1665262
TreeView+ depends on / blocked
 
Reported: 2019-01-10 20:14 UTC by Laura Pardo
Modified: 2019-09-29 15:04 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:21:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2022 None None None 2019-08-06 12:03:00 UTC
Red Hat Product Errata RHSA-2019:2713 None None None 2019-09-11 09:33:17 UTC

Description Laura Pardo 2019-01-10 20:14:44 UTC
A flaw was found in Poppler 0.72.0. A NULL pointer dereference in the XRef::getEntry class in XRef.cc file due to the mishandle of unallocated XRef entries. This allows remote attackers to cause a denial of service via a crafted PDF document, when XRefEntry::setFlag in XRef.h is called from Parser::makeStream in Parser.cc.


References:
https://gitlab.freedesktop.org/poppler/poppler/issues/692

Upstream Patch:
https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143

Comment 1 Laura Pardo 2019-01-10 20:14:58 UTC
Created mingw-poppler tracking bugs for this issue:

Affects: fedora-all [bug 1665269]


Created poppler tracking bugs for this issue:

Affects: fedora-all [bug 1665268]

Comment 2 Scott Gayou 2019-02-13 21:49:49 UTC
Looks like it will only segfault on 32-bit systems. However, we still get a Valgrind error and ASAN termination on 64bit.

```
Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error (14081): Illegal character '}'
Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error: Invalid XRef entry
Syntax Error (22675): Missing 'endstream' or incorrect stream length
=================================================================
==12093== ERROR: AddressSanitizer: heap-use-after-free on address 0x609600000488 at pc 0x7f52d7b4716c bp 0x7ffe2a4635b0 sp 0x7ffe2a4635a0
READ of size 4 at 0x609600000488 thread T0
    #0 0x7f52d7b4716b in XRefEntry::setFlag(XRefEntry::Flag, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/XRef.h:91
    #2 0x7f52d7b46832 in Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:297
    #4 0x7f52d7b45a0d in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:131 (discriminator 1)
    #6 0x7f52d7b455ba in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:96
    #8 0x7f52d7b4589e in Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) /root/rpmbuild/BUILD/poppler-0.26.5/poppler/Parser.cc:121
```

Comment 3 Scott Gayou 2019-02-13 22:02:35 UTC
Example of the same run in valgrind instead:

Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error (14081): Illegal character '}'
Syntax Error (655): Illegal character '>'
Syntax Error (24552): Illegal character <25> in hex string
Syntax Error (24591): Illegal digit in hex char in name
Syntax Error: Invalid XRef entry
Syntax Error (22675): Missing 'endstream' or incorrect stream length
==12167== Invalid read of size 4
==12167==    at 0x4F8A295: setFlag (XRef.h:91)
==12167==    by 0x4F8A295: Parser::makeStream(Object*, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:297)
==12167==    by 0x4F8A8F7: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:131)
==12167==    by 0x4F8A5A2: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:96)
==12167==    by 0x4F8A9D4: Parser::getObj(Object*, bool, unsigned char*, CryptAlgorithm, int, int, int, int, bool) (Parser.cc:121)
==12167==    by 0x4FA6965: XRef::fetch(int, int, Object*, int) (XRef.cc:1199)
==12167==    by 0x4F18C2A: dictLookup (Object.h:320)
==12167==    by 0x4F18C2A: Catalog::getNumPages() (Catalog.cc:809)
==12167==    by 0x4018EE: main (pdfdetach.cc:163)

Comment 7 errata-xmlrpc 2019-08-06 12:02:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2022 https://access.redhat.com/errata/RHSA-2019:2022

Comment 8 Product Security DevOps Team 2019-08-06 13:21:28 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20481

Comment 9 errata-xmlrpc 2019-09-11 09:33:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2713 https://access.redhat.com/errata/RHSA-2019:2713


Note You need to log in before you can comment on or make changes to this bug.