Vulnerabilities > CVE-2017-2820 - Integer Overflow or Wraparound vulnerability in Freedesktop Poppler 0.53.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An exploitable integer overflow vulnerability exists in the JPEG 2000 image parsing functionality of freedesktop.org Poppler 0.53.0. A specially crafted PDF file can lead to an integer overflow causing out of bounds memory overwrite on the heap resulting in potential arbitrary code execution. To trigger this vulnerability, a victim must open the malicious PDF in an application using this library.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201801-17.NASL description The remote host is affected by the vulnerability described in GLSA-201801-17 (Poppler: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Poppler. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by enticing a user to open a specially crafted PDF, could execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 106116 published 2018-01-18 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106116 title GLSA-201801-17 : Poppler: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201801-17. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(106116); script_version("3.3"); script_cvs_date("Date: 2018/06/07 13:15:38"); script_cve_id("CVE-2017-2820", "CVE-2017-7511", "CVE-2017-9083", "CVE-2017-9406", "CVE-2017-9408", "CVE-2017-9865"); script_xref(name:"GLSA", value:"201801-17"); script_name(english:"GLSA-201801-17 : Poppler: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201801-17 (Poppler: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Poppler. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by enticing a user to open a specially crafted PDF, could execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201801-17" ); script_set_attribute( attribute:"solution", value: "All Poppler users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-text/poppler-0.57.0-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:poppler"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-text/poppler", unaffected:make_list("ge 0.57.0-r1"), vulnerable:make_list("lt 0.57.0-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Poppler"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3350-1.NASL description Aleksandar Nikolic discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or possibly execute arbitrary code with privileges of the user invoking the program. (CVE-2017-2820) Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service. (CVE-2017-7511) It was discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to hang, resulting in a denial of service. (CVE-2017-7515) It was discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause cause poppler to crash, resulting in a denial of service. (CVE-2017-9083) It was discovered that poppler incorrectly handled memory when processing PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to consume resources, resulting in a denial of service. (CVE-2017-9406, CVE-2017-9408) Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler pdftocairo tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service. (CVE-2017-9775). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 101354 published 2017-07-10 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101354 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : poppler vulnerabilities (USN-3350-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3350-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(101354); script_version("3.14"); script_cvs_date("Date: 2019/09/18 12:31:47"); script_cve_id("CVE-2017-2820", "CVE-2017-7511", "CVE-2017-7515", "CVE-2017-9083", "CVE-2017-9406", "CVE-2017-9408", "CVE-2017-9775"); script_xref(name:"USN", value:"3350-1"); script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : poppler vulnerabilities (USN-3350-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Aleksandar Nikolic discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or possibly execute arbitrary code with privileges of the user invoking the program. (CVE-2017-2820) Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service. (CVE-2017-7511) It was discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to hang, resulting in a denial of service. (CVE-2017-7515) It was discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause cause poppler to crash, resulting in a denial of service. (CVE-2017-9083) It was discovered that poppler incorrectly handled memory when processing PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to consume resources, resulting in a denial of service. (CVE-2017-9406, CVE-2017-9408) Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler pdftocairo tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service. (CVE-2017-9775). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3350-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-cpp0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-cpp0v5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-glib8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-qt4-4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-qt5-1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler44"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler58"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler61"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:poppler-utils"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/19"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|16\.04|16\.10|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 16.10 / 17.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libpoppler-cpp0", pkgver:"0.24.5-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libpoppler-glib8", pkgver:"0.24.5-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libpoppler-qt4-4", pkgver:"0.24.5-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libpoppler-qt5-1", pkgver:"0.24.5-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"libpoppler44", pkgver:"0.24.5-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"poppler-utils", pkgver:"0.24.5-2ubuntu4.5")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libpoppler-cpp0", pkgver:"0.41.0-0ubuntu1.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libpoppler-glib8", pkgver:"0.41.0-0ubuntu1.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libpoppler-qt4-4", pkgver:"0.41.0-0ubuntu1.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libpoppler-qt5-1", pkgver:"0.41.0-0ubuntu1.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"libpoppler58", pkgver:"0.41.0-0ubuntu1.2")) flag++; if (ubuntu_check(osver:"16.04", pkgname:"poppler-utils", pkgver:"0.41.0-0ubuntu1.2")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"libpoppler-cpp0v5", pkgver:"0.44.0-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"libpoppler-glib8", pkgver:"0.44.0-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"libpoppler-qt4-4", pkgver:"0.44.0-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"libpoppler-qt5-1", pkgver:"0.44.0-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"libpoppler61", pkgver:"0.44.0-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"16.10", pkgname:"poppler-utils", pkgver:"0.44.0-3ubuntu2.1")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libpoppler-cpp0v5", pkgver:"0.48.0-2ubuntu2.1")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libpoppler-glib8", pkgver:"0.48.0-2ubuntu2.1")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libpoppler-qt4-4", pkgver:"0.48.0-2ubuntu2.1")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libpoppler-qt5-1", pkgver:"0.48.0-2ubuntu2.1")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"libpoppler64", pkgver:"0.48.0-2ubuntu2.1")) flag++; if (ubuntu_check(osver:"17.04", pkgname:"poppler-utils", pkgver:"0.48.0-2ubuntu2.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpoppler-cpp0 / libpoppler-cpp0v5 / libpoppler-glib8 / etc"); }
Seebug
bulletinFamily | exploit |
description | ### Summary An exploitable integer overflow vulnerability exists in the JPEG 2000 image parsing functionality of freedesktop.org Poppler 0.53.0. A specially crafted PDF file can lead to an integer overflow causing out of bounds memory overwrite on the heap resulting in potential arbitrary code execution. To trigger this vulnerability, a victim must open the malicious PDF in an application using this library. ### Tested Versions Poppler 0.53 ### Product URLs https://poppler.freedesktop.org/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-190: Integer Overflow or Wraparound ### Details Poppler is a popular open source PDF parser library. It is used by default in many open source PDF viewers. The library itself implements a decoder for JPEG 2000 encoded images instead of relying on a more complete implementation (such as OpenJPEG), although it does warn about this at compile time and strongly suggests OpenJPEG be used. By default, this internal implementation will be used by applications. That is the case with libpoppler binary shipped by latest Ubuntu version which is used by the default PDF viewer, Evince. When processing a PDF file with an embedded JPEG 2000 image (specified with a `JPXDecode` stream) inside, the `JPXStream.cc` source file will be used to render the image. Eventually, the method `readTilePart` will be invoked and it will process the image tile parts according to data in the SOT , SIZ and COD elements. When multiple levels are specified inside a COD element, the code will loop that many times starting at line 1961: ``` for (r = 0; r <= tileComp->nDecompLevels; ++r) { resLevel = &tileComp->resLevels[r]; k = r == 0 ? tileComp->nDecompLevels : tileComp->nDecompLevels - r + 1; resLevel->x0 = jpxCeilDivPow2(tileComp->x0, k); resLevel->y0 = jpxCeilDivPow2(tileComp->y0, k); resLevel->x1 = jpxCeilDivPow2(tileComp->x1, k); resLevel->y1 = jpxCeilDivPow2(tileComp->y1, k); if (r == 0) { resLevel->bx0[0] = resLevel->x0; resLevel->by0[0] = resLevel->y0; resLevel->bx1[0] = resLevel->x1; resLevel->by1[0] = resLevel->y1; } else { resLevel->bx0[0] = jpxCeilDivPow2(tileComp->x0 - (1 << (k-1)), k); resLevel->by0[0] = resLevel->y0; resLevel->bx1[0] = jpxCeilDivPow2(tileComp->x1 - (1 << (k-1)), k); [1] resLevel->by1[0] = resLevel->y1; resLevel->bx0[1] = resLevel->x0; resLevel->by0[1] = jpxCeilDivPow2(tileComp->y0 - (1 << (k-1)), k); resLevel->bx1[1] = resLevel->x1; resLevel->by1[1] = jpxCeilDivPow2(tileComp->y1 - (1 << (k-1)), k); resLevel->bx0[2] = jpxCeilDivPow2(tileComp->x0 - (1 << (k-1)), k); ``` In the above excerpt, it can be observed that zeroth level will be processed in one way, where the rest is processed in a different way involving more arithmetic. The first integer overflow can happen at [1] (and other lines, but we’ll use this one for example). Specifically, if the value `tileComp->x1` is less than 2 to the power of current level being processed, the `tileComp->x1 - (1 << (k-1))` can result in a large value, due to integer overflow. Then, when `jpxCeilDivPow2` macro is executed, in almost all cases, this will result in 0, but a single value of K lets the overflow persist after `jpxCeilDivPow2` call, resulting in a large positive result of the division, instead of 0. This later leads to out of bounds heap access. ``` subband->x1 = resLevel->bx1[sb]; [2] subband->y1 = resLevel->by1[sb]; subband->nXCBs = jpxCeilDivPow2(subband->x1, [3] tileComp->codeBlockW) - jpxFloorDivPow2(subband->x0, tileComp->codeBlockW); ``` In the above code, when `sb` is equal to 0, the overflown value from the previous calculation will end up in `subband->x1` at [2] and will figure into the calculation at [3], effectively setting `subband->nXCBs` to a non-zero value. This further leads to a loop being entered when it shouldn’t, leading to further corruption: ``` for (cbY = 0; cbY < subband->nYCBs; ++cbY) { for (cbX = 0; cbX < subband->nXCBs; ++cbX) { [4] cb->x0 = (sbx0 + cbX) << tileComp->codeBlockW; cb->x1 = cb->x0 + tileComp->cbW; … … for (cbj = 0; cbj < cb->y1 - cb->y0; ++cbj) { for (cbi = 0; cbi < cb->x1 - cb->x0; ++cbi) { cb->coeffs[cbj * tileComp->w + cbi] = 0; [5] } memset(cb->touched, 0, (1 << (tileComp->codeBlockW + tileComp->codeBlockH))); cb->arithDecoder = NULL; cb->stats = NULL; ++cb; ``` Because `subband->nXCBs` is positive, a loop at [4] will be entered, ultimately leading to an out of bounds write at [5]. Most of the indices and offsets that figure in the above code come directly from the JPEG 2000 file giving control over the out of bounds write and leaving space for further memory manipulation. This vulnerability can be triggered with poppler PDF utilities if the library is built to use the internal JPX decoder. As previously mentioned, the official binaries shipped with latest Ubuntu distribution use this decoder, so the vulnerability can be triggered through the `evince-thumbnailer` application. This means that in order to trigger the vulnerability, it is enough for the victim to view the directory where the malicious file is located. ### Crash Information ``` Valgrind output: ==11527== Invalid write of size 4 ==11527== at 0xFC2DD8C: JPXStream::readTilePart() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC2F0B6: JPXStream::readCodestream(unsigned int) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC312D4: JPXStream::readBoxes() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC31715: JPXStream::reset() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xF59C4A1: CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler-glib.so. 8.7.0) ==11527== by 0xFC7A389: Gfx::doImage(Object*, Stream*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC7B6A7: Gfx::opXObject(Object*, int) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC7597D: Gfx::go(bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC75E1F: Gfx::display(Object*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFCBBF44: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so. 58.0.0) ==11527== by 0xF584791: _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) (in /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8.7.0) ==11527== by 0xF355400: ??? (in /usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so) ==11527== Address 0x13f6efd4 is 0 bytes after a block of size 4 alloc'd ==11527== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11527== by 0xFD040CE: gmallocn (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC2D9C9: JPXStream::readTilePart() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC2F0B6: JPXStream::readCodestream(unsigned int) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC312D4: JPXStream::readBoxes() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC31715: JPXStream::reset() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xF59C4A1: CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) (in /usr/lib/x86_64-linux-gnu/ libpoppler-glib.so.8.7.0) ==11527== by 0xFC7A389: Gfx::doImage(Object*, Stream*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC7B6A7: Gfx::opXObject(Object*, int) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC7597D: Gfx::go(bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC75E1F: Gfx::display(Object*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFCBBF44: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/x86_64-linux-gnu/ libpoppler.so.58.0.0) ==11527== ==11527== ==11527== HEAP SUMMARY: ==11527== in use at exit: 604,867 bytes in 6,752 blocks ==11527== total heap usage: 206,871 allocs, 200,119 frees, 188,964,491 bytes allocated ==11527== =11527== LEAK SUMMARY: ==11527== definitely lost: 0 bytes in 0 blocks ==11527== indirectly lost: 0 bytes in 0 blocks ==11527== possibly lost: 2,024 bytes in 25 blocks ==11527== still reachable: 598,779 bytes in 6,699 blocks ==11527== of which reachable via heuristic: ==11527== length64 : 3,752 bytes in 29 blocks ==11527== newarray : 1,920 bytes in 40 blocks ==11527== suppressed: 0 bytes in 0 blocks ==11527== Rerun with --leak-check=full to see details of leaked memory ==11527== ==11527== For counts of detected and suppressed errors, rerun with: -v ==11527== ERROR SUMMARY: 3 errors from 1 contexts (suppressed: 0 from 0) ``` ### Mitigation Mitigation for this vulnerability can involve making sure that the library is compiled to use OpenJPEG library instead of its internal parser. ### Timeline * 2017-05-16 - Vendor Disclosure * 2017-07-07 - Public Release ### CREDIT * Discovered by Aleksandar Nikolic of Cisco Talos. |
id | SSV:96475 |
last seen | 2017-11-19 |
modified | 2017-09-14 |
published | 2017-09-14 |
reporter | Root |
title | Poppler PDF library JPEG 2000 levels Code Execution Vulnerability(CVE-2017-2820) |
Talos
id | TALOS-2017-0321 |
last seen | 2019-05-29 |
published | 2017-07-07 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0321 |
title | Poppler PDF library JPEG 2000 levels Code Execution Vulnerability |