Bug 91414 - Vulnerabilities report on libpoppler 0.18.4
Summary: Vulnerabilities report on libpoppler 0.18.4
Status: RESOLVED FIXED
Alias: None
Product: poppler
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: poppler-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-21 14:57 UTC by Julien Perrot
Modified: 2016-10-09 20:35 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
detailed vulnerabilities report and proof of concept files (624.93 KB, text/plain)
2015-07-21 14:57 UTC, Julien Perrot
Details
detailed report and proof of concept files (624.93 KB, application/octet-stream)
2015-07-21 14:59 UTC, Julien Perrot
Details

Description Julien Perrot 2015-07-21 14:57:39 UTC
Created attachment 117276 [details]
detailed vulnerabilities report and proof of concept files

Hi,

On behalf of the CERT-FR (CERT of the ANSSI, French Network and Information Security Agency), I'd like to report several vulnerabilities or defects on libpoppler. These problems were identified by Guillaume Endignoux during his internship at the ANSSI, under the supervision of Olivier Levillain.

Guillaume has crafted several PDF files from the specification (sample-pdf-files.tgz in poppler-report.zip). When opened with Evince, specific files will cause a crash or an infinite loop. We did not investigate further to determine if the crashes were exploitable.

As we think that these problems lie in libpoppler, we thought that it would be more useful to contact you directly instead of Evince's maintainer.

If you can confirm to us that the defects described in 20150716_Vulnerability_Evince_export_v1.pdf will handled as vulnerabilities from your side, we will then contact the MITRE to request CVE identifiers.

Do not hesitate to get back to me if you need further information on this report.


Best regards,
--
Julien Perrot
Vulnerabilities and signatures unit
ANSSI
Comment 1 Julien Perrot 2015-07-21 14:59:36 UTC
Created attachment 117277 [details]
detailed report and proof of concept files

uploading the zip file again, in binary form this time
Comment 2 Albert Astals Cid 2015-07-21 15:00:08 UTC
Any reason you used a 3 year old version of poppler?
Comment 3 Julien Perrot 2015-07-21 15:06:34 UTC
Not to my knowledge, I'll check with the reporter
Comment 4 Jose Aliste 2015-07-21 20:06:54 UTC
Could you please just attach the pdf that are malformed and you know they crash. The zip fil has a lot of files which do not crash and we don't have time to see which are supposed to crash and which not. Especially since this is against poppler 0.18 (and we are in 0.34) I see some files still crashing with newest poppler and evince, so there are some valuable examples here.
Comment 5 Julien Perrot 2015-07-22 08:26:23 UTC
Hi,


The file results-evince.pdf in poppler-report.zip (attached to this ticket) sums up the results with the proof of concept files. A green cell means that opening the corresponding sample file in Evince resulted in the expected behavior.

Especially, the files below (available in sample-pdf-files.tgz) seem to cause a segfault when loaded (at least with libpoppler 0.18.4) :

- structure/destname.pdf
- structure/destname-auto.pdf
- structure/pagelabels2.pdf
- structure/pagelabels3.pdf

The files below seem to provoke a 100% CPU usage :

- structure/outlines.pdf
- structure/outlines2.pdf
- structure/outlines3.pdf
- structure/outlines4.pdf
- structure/outlines-auto.pdf
- structure/outlines-auto2.pdf
- structure/outlines-auto3.pdf
- structure/outlines-auto4.pdf
Comment 6 Jose Aliste 2015-07-22 11:37:34 UTC
Aha, there two bugs here (if no other file produces crash or 100% cpu usage)

- the crash in the parser while reading destname.pdf or destname-auto.pdf (same backtrace) we need one bug for these files. 

- the 100% cpu usage for the outlines. by breaking the code while in 100% it seems we are getting stuck in rebuilding the outline tree, so probably there is some sort of loop link or sort. Haven't looked to the pdf yet, just gdb info. We need another bug for this as well.
Comment 7 Albert Astals Cid 2016-10-09 20:35:47 UTC
Ran this files over last release with an ASAN-ized version pdftoppm and could not find anything problematic.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.