[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#968354: marked as done (xpdf crash with empty document)

Your message dated Thu, 28 Jan 2021 08:19:59 +0000
with message-id <E1l52X1-0008Hm-Vu@fasolo.debian.org>
and subject line Bug#968354: fixed in xpdf 3.04+git20210103-1
has caused the Debian Bug report #968354,
regarding xpdf crash with empty document
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
968354: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968354
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: xpdf
Version: 3.04-13
Severity: normal
Tag: security

On Debian Bullseye this crashes xpdf with coredump:

touch x.pdf; xpdf x.pdf

Funny, after a 2-byte Virtualbox (and now qemu) crash, this is 
the shortest input for a DoS-bug I have seen so far :-)

For xpdf this bug itself is not really a security risk: an attacker
could also send a white page document or no document at all if
he wants the victim not to see a document. Still someone familiar
with the code should look at it, maybe some half-broken document
could turn the NULL-dereference into something more useful.

rax            0x0                 0

   0x000055555556e6d0 <+16>:    je     0x55555556e6e0 <XPDFCore::loadFile(GooString const*, GooString*, GooString*)+32>
   0x000055555556e6d2 <+18>:    mov    %ebp,%eax
   0x000055555556e6d4 <+20>:    pop    %rbx
   0x000055555556e6d5 <+21>:    pop    %rbp
   0x000055555556e6d6 <+22>:    pop    %r12
   0x000055555556e6d8 <+24>:    retq   
   0x000055555556e6d9 <+25>:    nopl   0x0(%rax)
   0x000055555556e6e0 <+32>:    mov    0x8(%rbx),%rax
=> 0x000055555556e6e4 <+36>:    mov    (%rax),%rax   (doc is null)
   0x000055555556e6e7 <+39>:    mov    (%rax),%rdi 
   0x000055555556e6ea <+42>:    callq  0x55555557d730 <getModTime(char const*)>


Relevant source:

int XPDFCore::loadFile(const GString *fileName, GString *ownerPassword,
                       GString *userPassword) {
  int err;

  err = PDFCore::loadFile(fileName, ownerPassword, userPassword);
  if (err == errNone) {
    // save the modification time
    modTime = getModTime(doc->getFileName()->getCString());

    // update the parent window
    if (updateCbk) {
      (*updateCbk)(updateCbkData, doc->getFileName(), -1,
                   doc->getNumPages(), NULL);
    }
  }
  return err;
}

(gdb) print doc
$1 = (PDFDoc *) 0x0

If understand correctly, "PDFCore::loadFile" does not return
an error when processing an empty file, but also does not set
static variable "doc". This seems to be due to "xpdf/PDFCore.cc":

int PDFCore::loadFile2(PDFDoc *newDoc) {
  int err;
  double w, h, t;
  int i;

  // open the PDF file
  if (!newDoc->isOk()) {
    err = newDoc->getErrorCode();
    delete newDoc;
    return err;
  }

...

The PDFDoc seems to come from "libpoppler.so.82" already and
detects the problem:

Syntax Error: Document stream is empty

On a quick glance I could not see this may result in !isOk()
but also "err" not set correctly. If error should be in libpoppler,
then this is the relevant version:

ii  libpoppler82:amd64                   0.71.0-6                            amd64        PDF rendering library

--- End Message ---
--- Begin Message --- 
Source: xpdf
Source-Version: 3.04+git20210103-1
Done: Florian Schlichting <fsfs@debian.org>

We believe that the bug you reported is fixed in the latest version of
xpdf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 968354@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Schlichting <fsfs@debian.org> (supplier of updated xpdf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 28 Jan 2021 15:58:32 +0800
Source: xpdf
Architecture: source
Version: 3.04+git20210103-1
Distribution: unstable
Urgency: medium
Maintainer: Florian Schlichting <fsfs@debian.org>
Changed-By: Florian Schlichting <fsfs@debian.org>
Closes: 606885 848631 863382 942086 945188 968354 971805 977182
Changes:
 xpdf (3.04+git20210103-1) unstable; urgency=medium
 .
   * Import new upstream version 3.04+git20210103
     + switch to xpopple as new upstream (closes: #977182)
     + fix obvious memory leaks (closes: #945188, #942086)
     + no longer crash on empty documents (closes: #968354)
     + properly ask for passwords (closes: #606885)
     + correctly recognize working and document obsolete config file commands
       (closes: #971805, #863382)
   * Drop patches, all applied in (or obsoleted by) xpopple upstream
   * Bump dh compat to level 13
   * Greatly simplify d/rules (but keep linking to libpaper)
   * Keep installing our xpdf wrapper script
   * Ensure wrapper script correctly handles all xpdf options
   * Add wrapper script options back to xpdf manpage
   * Drop obsolete language support files and infrastructure
   * Mention new upstream in relevant places, drop d/watch
   * Adopt xpdf (closes: #848631)
   * Ship TODO in docs
   * Add Rules-Requires-Root: no
   * Declare compliance with Debian Policy 4.5.1
Checksums-Sha1:
 40e2a06d4197afe5c59194743175ed5cb76bce55 1954 xpdf_3.04+git20210103-1.dsc
 c49eefa7d8a2359fa6f75d97753547340fe1158a 123005 xpdf_3.04+git20210103.orig.tar.gz
 4b83474cdabc693f1bdf1f7c1c778c0446157781 23668 xpdf_3.04+git20210103-1.debian.tar.xz
 9cad89f4b3518e7f8d6e58980da150431e24b8e0 8092 xpdf_3.04+git20210103-1_amd64.buildinfo
Checksums-Sha256:
 3e47cdedacae84aee3ec1cbf3151698afe3a2ca83bd0aaa4611dbaf0487968e5 1954 xpdf_3.04+git20210103-1.dsc
 8c00465f2e362377459ec6d82c0bfe2df9b80ddd98d602e08f41c988efa56fc0 123005 xpdf_3.04+git20210103.orig.tar.gz
 6504e23ca0ce5e8a91b17973d6fc5e73aefe0ccadba73707a1de4721d2f2ecce 23668 xpdf_3.04+git20210103-1.debian.tar.xz
 bfc3e2a91a4a4df46f6aca43efbafdbd6b91350dbb0928ab31fdab3059e503cc 8092 xpdf_3.04+git20210103-1_amd64.buildinfo
Files:
 b38ab56c1cc5eeef1ece34a05a280648 1954 text optional xpdf_3.04+git20210103-1.dsc
 80eaa44277edac0f6de780f13e1bb350 123005 text optional xpdf_3.04+git20210103.orig.tar.gz
 0662269a02ad92d16e0d2fced32301e5 23668 text optional xpdf_3.04+git20210103-1.debian.tar.xz
 e61a6d01cc94f6b03260a1c1a09f2f78 8092 text optional xpdf_3.04+git20210103-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAmAScC8ACgkQEpc7bnLc
B7UsmBAAlXvbdIpZNFC4+ul+d2U8NvxmKburY+iS7pG0OzUSmfXjsGeiXDSuVlBk
wMI4pWlGFfLE86/nJKC0Ik7anG23GmBHdPrUeowyxFpEHPyoP23IBgu4xX7Jry4t
R7mSAV96vE62HKOabjas65oaKTEp8y1iXiJaqa0HB5YUvZUahtChGjQvvTry3mop
fa0EIF5BHYr7f0iNcHJy7GJwI6fZVVctHoqLCvKRU1eNj4jsUU2Ab/ddVff7OZfj
1R7vjEJz3MxhTwFCeYjY54rPwHOt2mS0l7/+FmAF531//sY1w9n9SFiIapu6fwYA
oz45ahF4DjvF1nR9WnAwkgWhrJEhcYsYK20M6G2IvJzKPNsnLC3MB7d3dptB6xyH
1bTOs09wAz1ZMOS5+GNHot9+uX8dgnDSmQX2sZ2hcB9RMq1tf3WSlO/eWA+TgTEY
w6DOEqoEwGuHlJq4haZCKsg+zuYkipjU85GEAfrkAYHvXHiIFlR5UvXGBn0DVSm+
JUNGf6Dw6SZQ+SB8FAI0LRJuaKGfXFh0JhyNmjmP5PsMQg4kvhPS9UMTAAWZ+Vqt
wVbMMnxPYNnBsyvxG5kQ8VlzmmTA9H4I1m+odmYozM8GzKvZ8Mfqbi1SOYC8sFj0
d00xhqTe7eoE3ldJfOnwTdPGVrLzlg0CCFsq0uCUtkwrGqA3/lk=
=3IuC
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: