http://bugzilla.opensuse.org/show_bug.cgi?id=1023072 Bug ID: 1023072 Summary: VUL-1: podofo: NULL pointer dereference in PdfInfo::GuessFormat (pdfinfo.cpp) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/267 ============================================== Description: podofo is a C++ library to work with the PDF file format. A fuzz on it discovered a NULL pointer access. The upstream project denies me to open a new ticket. So, I’m unable to communicate with them. The complete ASan output: # podofopdfinfo $FILE ==24654==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005149a7 bp 0x7ffe59e91e70 sp 0x7ffe59e91d80 T0) ==24654==The signal is caused by a READ memory access. ==24654==Hint: address points to the zero page. #0 0x5149a6 in PdfInfo::GuessFormat() /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:210:19 #1 0x512351 in PdfInfo::OutputDocumentInfo(std::ostream&) /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:40:35 #2 0x522132 in main /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/podofopdfinfo.cpp:117:18 #3 0x7fcaaf4b861f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #4 0x41e8f8 in _start (/usr/bin/podofopdfinfo+0x41e8f8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/app- text/podofo-0.9.4/work/podofo-0.9.4/tools/podofopdfinfo/pdfinfo.cpp:210:19 in PdfInfo::GuessFormat() ==24654==ABORTING Affected version: 0.9.4 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00133-podofo-nullptr-pdfinfo-cpp Timeline: 2017-01-05: bug discovered 2017-02-01: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-p... -- Agostino Sarubbo Gentoo Linux Developer ============================================== https://software.opensuse.org/package/podofo TW: 0.9.4 42.(1|2): 0.9.3 -- You are receiving this mail because: You are on the CC list for the bug.