In poppler-v0.75.0 in pdftohtml there is a buffer overflow. Upstream issue: https://gitlab.freedesktop.org/poppler/poppler/-/issues/742 Upstream fix: https://gitlab.freedesktop.org/poppler/poppler/-/commit/30c731b487190c02afff3f036736a392eb60cd9a
Created poppler tracking bugs for this issue: Affects: fedora-all [bug 1900713]
This flaw revolves around the usage of the FILE pointer 'page' declared as a member variable of the HtmlOutputDev class. Under some circumstances this pointer is never initialized between the point in time when a HtmlOutputDev object is created and the time the same object is deleted. When the object is deleted, the destructor could use the same uninitialized pointer leading to undefined behavior (most likely a crash of the application). /* class declaration */ class HtmlOutputDev: public OutputDev { private: FILE *page; }; /* destructor */ HtmlOutputDev::~HtmlOutputDev() { if (page != nullptr) { fputs("</body>\n</html>\n", page); <= access to uninitialized pointer } }
In reply to comment #0: > Upstream fix: > https://gitlab.freedesktop.org/poppler/poppler/-/commit/30c731b487190c02afff3f036736a392eb60cd9a The patch initializes 'page' in the HtmlOutputDev constructor, effectively preventing the destructor from doing damage in case the pointer is never modified during the object's life cycle.
In reply to comment #6: > This flaw revolves around the usage of the FILE pointer 'page' declared as a > member variable of the HtmlOutputDev class. Under some circumstances this > pointer is never initialized between the point in time when a HtmlOutputDev > object is created and the time the same object is deleted. When the object > is deleted, the destructor could use the same uninitialized pointer leading > to undefined behavior (most likely a crash of the application). Code execution might be possible, depending on the ability of the attacker to control and shape the heap state when the HtmlOutputDev destructor is executed. However, it does seem quite difficult to achieve and RHEL mitigations like ASLR would prevent this flaw from being exploited in any meaningful way.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1881 https://access.redhat.com/errata/RHSA-2021:1881
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27778