[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: null-pointer dereference in poppler library
From: Dhiraj Mishra <mishra.dhiraj95 () gmail ! com>
Date: 2018-11-11 17:43:14
Message-ID: CAG8b5tS4=cCT+dmaoeqT3eF6_xoQLLBRuoRYy_C855pXmeQM-g () mail ! gmail ! com
[Download RAW message or body]
Later CVE-2018-19149 was assigned to this, because that fuzzing result
show's a very important vulnerability in a package currently shipped by a
major Linux distribution is still of interest, even if that Linux
distribution does not package the latest released upstream version.
For example, an out-of-bounds write finding is still very useful in that
case, but not out-of-bounds read, NULL pointer dereference,
divide-by-zero, etc.
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19149
On Sat, Nov 10, 2018 at 4:22 PM Dhiraj Mishra <mishra.dhiraj95@gmail.com>
wrote:
> ## Summary
>
> While fuzzing evince v3.28.4, on linux 4.15.0-38-generic (Ubuntu 18.04
> LTS), a null-pointer dereference was observed, initially this was reported
> to evince but the evince team advised that the issue is in poppler, the
> library used by evince to render PDF. Poppler version: 0.62.0-2ubuntu2.2 is
> vulnerable to null-pointer dereference, however the issue is already fixed
> in poppler 0.70, but this will still crash your evince v3.28.4 if poppler
> is not updated to v.0.70.
>
> ## Debug
>
> (gdb) run NullPointerDeference.h_134
> Starting program: /usr/bin/evince NullPointerDeference.h_134
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> [New Thread 0x7fd84d3cf700 (LWP 17587)]
> [New Thread 0x7fd84cbce700 (LWP 17588)]
> [New Thread 0x7fd84718c700 (LWP 17589)]
> [New Thread 0x7fd84651c700 (LWP 17594)]
> [New Thread 0x7fd845b0e700 (LWP 17596)]
> [New Thread 0x7fd83223e700 (LWP 17597)]
>
> Thread 7 "EvJobScheduler" received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7fd83223e700 (LWP 17597)]
> 0x00007fd8315f629a in _poppler_attachment_new(FileSpec*) () from
> /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
> (gdb) bt
> #0 0x00007fd8315f629a in _poppler_attachment_new(FileSpec*) () at
> /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
> #1 0x00007fd8315fa14a in poppler_annot_file_attachment_get_attachment ()
> at /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8
> #2 0x00007fd83183673d in () at
> /usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so
> #3 0x00007fd8592c3bfa in () at /usr/lib/x86_64-linux-gnu/libevview3.so.3
> #4 0x00007fd8592c5c02 in () at /usr/lib/x86_64-linux-gnu/libevview3.so.3
> #5 0x00007fd856bbee85 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #6 0x00007fd8565956db in start_thread (arg=0x7fd83223e700) at
> pthread_create.c:463
> #7 0x00007fd8562be88f in clone () at
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
> (gdb) i r
> rax 0x0 0
> rbx 0x0 0
> rcx 0x0 0
> rdx 0x0 0
> rsi 0x7fd82c0587c0 140566428223424
> rdi 0x55720784c640 93948240774720
> rbp 0x7fd834004a90 0x7fd834004a90
> rsp 0x7fd83223d9e0 0x7fd83223d9e0
> r8 0xffffffffffffffb0 -80
> r9 0x10 16
> r10 0x7fd82c0008d0 140566427863248
> r11 0x1 1
> r12 0x7fd82c0587c0 140566428223424
> r13 0x7fd834004a80 140566562097792
> r14 0x5572072f5a60 93948235176544
> r15 0x0 0
> rip 0x7fd8315f629a 0x7fd8315f629a
> <_poppler_attachment_new(FileSpec*)+122>
> eflags 0x10206 [ PF IF RF ]
> cs 0x33 51
> ss 0x2b 43
> ds 0x0 0
> es 0x0 0
> fs 0x0 0
> gs 0x0 0
> (gdb) info reg ebp rip
> ebp 0x34004a90 872434320
> rip 0x7fd8315f629a 0x7fd8315f629a
> <_poppler_attachment_new(FileSpec*)+122>
> (gdb)
>
>
--
Regards
*Dhiraj Mishra.*GPG ID : 51720F56 | Finger Print : 1F6A FC7B 05AA CF29
8C1C ED65 3233 4D18 5172 0F56
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic