Created attachment 117276 [details] detailed vulnerabilities report and proof of concept files Hi, On behalf of the CERT-FR (CERT of the ANSSI, French Network and Information Security Agency), I'd like to report several vulnerabilities or defects on libpoppler. These problems were identified by Guillaume Endignoux during his internship at the ANSSI, under the supervision of Olivier Levillain. Guillaume has crafted several PDF files from the specification (sample-pdf-files.tgz in poppler-report.zip). When opened with Evince, specific files will cause a crash or an infinite loop. We did not investigate further to determine if the crashes were exploitable. As we think that these problems lie in libpoppler, we thought that it would be more useful to contact you directly instead of Evince's maintainer. If you can confirm to us that the defects described in 20150716_Vulnerability_Evince_export_v1.pdf will handled as vulnerabilities from your side, we will then contact the MITRE to request CVE identifiers. Do not hesitate to get back to me if you need further information on this report. Best regards, -- Julien Perrot Vulnerabilities and signatures unit ANSSI
Created attachment 117277 [details] detailed report and proof of concept files uploading the zip file again, in binary form this time
Any reason you used a 3 year old version of poppler?
Not to my knowledge, I'll check with the reporter
Could you please just attach the pdf that are malformed and you know they crash. The zip fil has a lot of files which do not crash and we don't have time to see which are supposed to crash and which not. Especially since this is against poppler 0.18 (and we are in 0.34) I see some files still crashing with newest poppler and evince, so there are some valuable examples here.
Hi, The file results-evince.pdf in poppler-report.zip (attached to this ticket) sums up the results with the proof of concept files. A green cell means that opening the corresponding sample file in Evince resulted in the expected behavior. Especially, the files below (available in sample-pdf-files.tgz) seem to cause a segfault when loaded (at least with libpoppler 0.18.4) : - structure/destname.pdf - structure/destname-auto.pdf - structure/pagelabels2.pdf - structure/pagelabels3.pdf The files below seem to provoke a 100% CPU usage : - structure/outlines.pdf - structure/outlines2.pdf - structure/outlines3.pdf - structure/outlines4.pdf - structure/outlines-auto.pdf - structure/outlines-auto2.pdf - structure/outlines-auto3.pdf - structure/outlines-auto4.pdf
Aha, there two bugs here (if no other file produces crash or 100% cpu usage) - the crash in the parser while reading destname.pdf or destname-auto.pdf (same backtrace) we need one bug for these files. - the 100% cpu usage for the outlines. by breaking the code while in 100% it seems we are getting stuck in rebuilding the outline tree, so probably there is some sort of loop link or sort. Haven't looked to the pdf yet, just gdb info. We need another bug for this as well.
Ran this files over last release with an ASAN-ized version pdftoppm and could not find anything problematic.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.