[Secure-testing-team] Bug#887130: mupdf: CVE-2018-5686
Salvatore Bonaccorso
carnil at debian.org
Sun Jan 14 10:19:06 UTC 2018
Source: mupdf
Version: 1.5-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.ghostscript.com/show_bug.cgi?id=698860
Hi,
the following vulnerability was published for mupdf.
CVE-2018-5686[0]:
| In MuPDF 1.12.0, there is an infinite loop vulnerability and
| application hang in the pdf_parse_array function (pdf/pdf-parse.c)
| because EOF is not considered. Remote attackers could leverage this
| vulnerability to cause a denial of service via a crafted pdf file.
Although not directly reproducible/verifiable with the reporoducer
from the reporter at:
https://github.com/ProbeFuzzer/poc/raw/master/mupdf/mupdf_1-12-0_mutool_infinite-loop_pdf_parse_array.pdf
looking at the code leading to source/pdf/pdf-parse.c in the
pdf_parse_array function, EOF is not considered as well back to the
versions 1.5 (at least). From the upstream report:
----cut---------cut---------cut---------cut---------cut---------cut-----
On 1.12.0 (the latest version):
there is an infinite loop and application hang in the pdf_parse_array
function (source/pdf/pdf-parse.c), which could be triggered by the POC
with command: mutool draw $POC
Looking into the pdf_parse_array function (source/pdf/pdf-parse.c), we
found that the "while(1)" loop terminates only when the program
encountered a PDF_TOK_CLOSE_ARRAY token. However, the tokens could be
manipulated by a crafted pdf file, and an infinite loop happens when
PDF_TOK_CLOSE_ARRAY does not appear.
Recommended fix: the program should terminate when "EOF" token is
encountered. Therefore, we recommend adding following statements around
line 404.
case PDF_TOK_EOF:
goto end;
The code segment is:
361 pdf_parse_array(fz_context *ctx, pdf_document *doc, fz_stream *file, pdf_lexbuf *buf)
362 {
...
373 fz_try(ctx)
374 {
375 while (1)
376 {
377 tok = pdf_lex(ctx, file, buf);
...
402 switch (tok)
403 {
404 case PDF_TOK_CLOSE_ARRAY:
405 op = ary;
406 goto end;
...
462 }
463 }
464 end:
465 {}
466 }
...
472 return op;
473 }
POC:
https://github.com/ProbeFuzzer/poc/blob/master/mupdf/mupdf_1-12-0_mutool_infinite-loop_pdf_parse_array.pdf
backtrace:
#0 0x00007ffff66dd9d6 in __memmove_ssse3 () from /lib64/libc.so.6
#1 0x00007ffff6e97c58 in Reallocate (stack=0x7fffffffc3b0, new_size=140733826750448, old_ptr=0x7fff25c05800)
at ../../../../src/libsanitizer/asan/asan_allocator2.cc:485
#2 __asan::asan_realloc (p=p at entry=0x7fff25c05800, size=size at entry=2451898200, stack=stack at entry=0x7fffffffc3b0)
at ../../../../src/libsanitizer/asan/asan_allocator2.cc:615
#3 0x00007ffff6f08408 in __interceptor_realloc (ptr=0x7fff25c05800, size=2451898200)
at ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:83
#4 0x00000000006ae500 in do_scavenging_realloc (size=2451898200, p=0x7fff25c05800, ctx=0x60e00000df60) at source/fitz/memory.c:42
#5 fz_resize_array (ctx=ctx at entry=0x60e00000df60, p=0x7fff25c05800, count=count at entry=306487275, size=size at entry=8)
at source/fitz/memory.c:171
#6 0x00000000008c2cee in pdf_array_grow (obj=0x60400000d790, ctx=0x60e00000df60) at source/pdf/pdf-object.c:573
#7 pdf_array_push (ctx=0x60e00000df60, obj=0x60400000d790, item=<optimized out>) at source/pdf/pdf-object.c:722
#8 0x00000000008c3734 in pdf_array_push_drop (ctx=ctx at entry=0x60e00000df60, obj=obj at entry=0x60400000d790, item=0x1a6)
at source/pdf/pdf-object.c:734
#9 0x00000000008f2040 in pdf_parse_array (ctx=ctx at entry=0x60e00000df60, doc=doc at entry=0x631000014800, file=file at entry=0x60800000bf20,
buf=buf at entry=0x631000014980) at source/pdf/pdf-parse.c:460
#10 0x00000000008f1699 in pdf_parse_dict (ctx=ctx at entry=0x60e00000df60, doc=doc at entry=0x631000014800, file=file at entry=0x60800000bf20,
buf=buf at entry=0x631000014980) at source/pdf/pdf-parse.c:512
#11 0x00000000008f3057 in pdf_parse_ind_obj (ctx=ctx at entry=0x60e00000df60, doc=doc at entry=0x631000014800, file=<optimized out>,
buf=buf at entry=0x631000014980, onum=onum at entry=0x7fffffffd170, ogen=ogen at entry=0x7fffffffd1b0, ostmofs=0x61300000d6c0,
try_repair=0x7fffffffd1f0) at source/pdf/pdf-parse.c:650
#12 0x0000000000967db0 in pdf_cache_object (ctx=ctx at entry=0x60e00000df60, doc=doc at entry=0x631000014800, num=num at entry=6)
at source/pdf/pdf-xref.c:1929
#13 0x000000000096e322 in pdf_resolve_indirect (ctx=0x60e00000df60, ref=<optimized out>) at source/pdf/pdf-xref.c:2025
#14 0x000000000096e455 in pdf_resolve_indirect_chain (ctx=0x60e00000df60, ref=0x60300000e920) at source/pdf/pdf-xref.c:2051
#15 0x00000000008be80d in pdf_mark_obj (ctx=ctx at entry=0x60e00000df60, obj=obj at entry=0x60300000e920) at source/pdf/pdf-object.c:1610
#16 0x00000000008dceef in pdf_resources_use_overprint (ctx=ctx at entry=0x60e00000df60, rdb=rdb at entry=0x60300000e920)
at source/pdf/pdf-page.c:527
#17 0x00000000008e6995 in pdf_load_page (ctx=<optimized out>, doc=<optimized out>, number=<optimized out>) at source/pdf/pdf-page.c:1109
#18 0x000000000043731a in drawpage (ctx=ctx at entry=0x60e00000df60, doc=doc at entry=0x631000014800, pagenum=pagenum at entry=1)
at source/tools/mudraw.c:1044
#19 0x0000000000439167 in drawrange (ctx=ctx at entry=0x60e00000df60, doc=<optimized out>, range=<optimized out>,
range at entry=0x154da20 "1-N") at source/tools/mudraw.c:1196
#20 0x000000000043d091 in mudraw_main (argc=<optimized out>, argv=<optimized out>) at source/tools/mudraw.c:1919
#21 0x0000000000423d0f in main (argc=<optimized out>, argv=<optimized out>) at source/tools/mutool.c:127
----cut---------cut---------cut---------cut---------cut---------cut-----
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5686
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5686
[1] https://bugs.ghostscript.com/show_bug.cgi?id=698860
[2] https://github.com/ProbeFuzzer/poc/raw/master/mupdf/mupdf_1-12-0_mutool_infinite-loop_pdf_parse_array.pdf
Regards,
Salvatore
More information about the Secure-testing-team
mailing list