Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAG8b5tT5Ob5b1CD=nMFWkJTfVfwvREW3vGw=rpHruB6Tj+NJtw@mail.gmail.com>
Date: Sat, 10 Nov 2018 16:22:53 +0530
From: Dhiraj Mishra <mishra.dhiraj95@...il.com>
To: oss-security@...ts.openwall.com
Subject: null-pointer dereference in poppler library

## Summary

While fuzzing evince v3.28.4, on linux 4.15.0-38-generic (Ubuntu 18.04
LTS), a null-pointer dereference was observed, initially this was reported
to evince but the evince team advised that the issue is in poppler, the
library used by evince to render PDF. Poppler version: 0.62.0-2ubuntu2.2 is
vulnerable to null-pointer dereference, however the issue is already fixed
in poppler 0.70, but this will still crash your evince v3.28.4 if poppler
is not updated to v.0.70.

## Debug

(gdb) run NullPointerDeference.h_134
Starting program: /usr/bin/evince NullPointerDeference.h_134
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fd84d3cf700 (LWP 17587)]
[New Thread 0x7fd84cbce700 (LWP 17588)]
[New Thread 0x7fd84718c700 (LWP 17589)]
[New Thread 0x7fd84651c700 (LWP 17594)]
[New Thread 0x7fd845b0e700 (LWP 17596)]
[New Thread 0x7fd83223e700 (LWP 17597)]

Thread 7 "EvJobScheduler" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fd83223e700 (LWP 17597)]
0x00007fd8315f629a in _poppler_attachment_new(FileSpec*) () from
/usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
(gdb) bt
#0  0x00007fd8315f629a in _poppler_attachment_new(FileSpec*) () at
/usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
#1  0x00007fd8315fa14a in poppler_annot_file_attachment_get_attachment ()
at /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
#2  0x00007fd83183673d in  () at
/usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so
#3  0x00007fd8592c3bfa in  () at /usr/lib/x86_64-linux-gnu/libevview3.so.3
#4  0x00007fd8592c5c02 in  () at /usr/lib/x86_64-linux-gnu/libevview3.so.3
#5  0x00007fd856bbee85 in  () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#6  0x00007fd8565956db in start_thread (arg=0x7fd83223e700) at
pthread_create.c:463
#7  0x00007fd8562be88f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95
(gdb) i r
rax            0x0    0
rbx            0x0    0
rcx            0x0    0
rdx            0x0    0
rsi            0x7fd82c0587c0    140566428223424
rdi            0x55720784c640    93948240774720
rbp            0x7fd834004a90    0x7fd834004a90
rsp            0x7fd83223d9e0    0x7fd83223d9e0
r8             0xffffffffffffffb0    -80
r9             0x10    16
r10            0x7fd82c0008d0    140566427863248
r11            0x1    1
r12            0x7fd82c0587c0    140566428223424
r13            0x7fd834004a80    140566562097792
r14            0x5572072f5a60    93948235176544
r15            0x0    0
rip            0x7fd8315f629a    0x7fd8315f629a
<_poppler_attachment_new(FileSpec*)+122>
eflags         0x10206    [ PF IF RF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
(gdb) info reg ebp rip
ebp            0x34004a90    872434320
rip            0x7fd8315f629a    0x7fd8315f629a
<_poppler_attachment_new(FileSpec*)+122>
(gdb)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.