Vulnerabilities > CVE-2017-2820 - Integer Overflow or Wraparound vulnerability in Freedesktop Poppler 0.53.0

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
freedesktop
CWE-190
nessus
NVD
Published: 2017-07-12
Updated: 2023-01-27

Summary

An exploitable integer overflow vulnerability exists in the JPEG 2000 image parsing functionality of freedesktop.org Poppler 0.53.0. A specially crafted PDF file can lead to an integer overflow causing out of bounds memory overwrite on the heap resulting in potential arbitrary code execution. To trigger this vulnerability, a victim must open the malicious PDF in an application using this library.

Vulnerable Configurations

Part Description Count
Application
Freedesktop
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201801-17.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201801-17 (Poppler: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Poppler. Please review the CVE identifiers referenced below for details. Impact : A remote attacker, by enticing a user to open a specially crafted PDF, could execute arbitrary code or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id106116
    published2018-01-18
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106116
    titleGLSA-201801-17 : Poppler: Multiple vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201801-17.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(106116);
  script_version("3.3");
  script_cvs_date("Date: 2018/06/07 13:15:38");

  script_cve_id("CVE-2017-2820", "CVE-2017-7511", "CVE-2017-9083", "CVE-2017-9406", "CVE-2017-9408", "CVE-2017-9865");
  script_xref(name:"GLSA", value:"201801-17");

  script_name(english:"GLSA-201801-17 : Poppler: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201801-17
(Poppler: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Poppler. Please review
      the CVE identifiers referenced below for details.
  
Impact :

    A remote attacker, by enticing a user to open a specially crafted PDF,
      could execute arbitrary code or cause a Denial of Service condition.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201801-17"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All Poppler users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=app-text/poppler-0.57.0-r1'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:poppler");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/01/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/18");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"app-text/poppler", unaffected:make_list("ge 0.57.0-r1"), vulnerable:make_list("lt 0.57.0-r1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Poppler");
}
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3350-1.NASL
    descriptionAleksandar Nikolic discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause a denial of service or possibly execute arbitrary code with privileges of the user invoking the program. (CVE-2017-2820) Jiaqi Peng discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service. (CVE-2017-7511) It was discovered that the poppler pdfunite tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to hang, resulting in a denial of service. (CVE-2017-7515) It was discovered that poppler incorrectly handled JPEG 2000 images. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause cause poppler to crash, resulting in a denial of service. (CVE-2017-9083) It was discovered that poppler incorrectly handled memory when processing PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to consume resources, resulting in a denial of service. (CVE-2017-9406, CVE-2017-9408) Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the poppler pdftocairo tool incorrectly parsed certain malformed PDF documents. If a user or automated system were tricked into opening a crafted PDF file, an attacker could cause poppler to crash, resulting in a denial of service. (CVE-2017-9775). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101354
    published2017-07-10
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101354
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : poppler vulnerabilities (USN-3350-1)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3350-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101354);
  script_version("3.14");
  script_cvs_date("Date: 2019/09/18 12:31:47");

  script_cve_id("CVE-2017-2820", "CVE-2017-7511", "CVE-2017-7515", "CVE-2017-9083", "CVE-2017-9406", "CVE-2017-9408", "CVE-2017-9775");
  script_xref(name:"USN", value:"3350-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : poppler vulnerabilities (USN-3350-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Aleksandar Nikolic discovered that poppler incorrectly handled JPEG
2000 images. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause a denial of service or
possibly execute arbitrary code with privileges of the user invoking
the program. (CVE-2017-2820)

Jiaqi Peng discovered that the poppler pdfunite tool incorrectly
parsed certain malformed PDF documents. If a user or automated system
were tricked into opening a crafted PDF file, an attacker could cause
poppler to crash, resulting in a denial of service. (CVE-2017-7511)

It was discovered that the poppler pdfunite tool incorrectly parsed
certain malformed PDF documents. If a user or automated system were
tricked into opening a crafted PDF file, an attacker could cause
poppler to hang, resulting in a denial of service. (CVE-2017-7515)

It was discovered that poppler incorrectly handled JPEG 2000 images.
If a user or automated system were tricked into opening a crafted PDF
file, an attacker could cause cause poppler to crash, resulting in a
denial of service. (CVE-2017-9083)

It was discovered that poppler incorrectly handled memory when
processing PDF documents. If a user or automated system were tricked
into opening a crafted PDF file, an attacker could cause poppler to
consume resources, resulting in a denial of service. (CVE-2017-9406,
CVE-2017-9408)

Alberto Garcia, Francisco Oca, and Suleman Ali discovered that the
poppler pdftocairo tool incorrectly parsed certain malformed PDF
documents. If a user or automated system were tricked into opening a
crafted PDF file, an attacker could cause poppler to crash, resulting
in a denial of service. (CVE-2017-9775).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3350-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-cpp0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-cpp0v5");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-glib8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-qt4-4");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler-qt5-1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler44");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler58");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler61");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpoppler64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:poppler-utils");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/10");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("misc_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04|16\.04|16\.10|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 16.10 / 17.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"libpoppler-cpp0", pkgver:"0.24.5-2ubuntu4.5")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"libpoppler-glib8", pkgver:"0.24.5-2ubuntu4.5")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"libpoppler-qt4-4", pkgver:"0.24.5-2ubuntu4.5")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"libpoppler-qt5-1", pkgver:"0.24.5-2ubuntu4.5")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"libpoppler44", pkgver:"0.24.5-2ubuntu4.5")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"poppler-utils", pkgver:"0.24.5-2ubuntu4.5")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"libpoppler-cpp0", pkgver:"0.41.0-0ubuntu1.2")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"libpoppler-glib8", pkgver:"0.41.0-0ubuntu1.2")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"libpoppler-qt4-4", pkgver:"0.41.0-0ubuntu1.2")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"libpoppler-qt5-1", pkgver:"0.41.0-0ubuntu1.2")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"libpoppler58", pkgver:"0.41.0-0ubuntu1.2")) flag++;
if (ubuntu_check(osver:"16.04", pkgname:"poppler-utils", pkgver:"0.41.0-0ubuntu1.2")) flag++;
if (ubuntu_check(osver:"16.10", pkgname:"libpoppler-cpp0v5", pkgver:"0.44.0-3ubuntu2.1")) flag++;
if (ubuntu_check(osver:"16.10", pkgname:"libpoppler-glib8", pkgver:"0.44.0-3ubuntu2.1")) flag++;
if (ubuntu_check(osver:"16.10", pkgname:"libpoppler-qt4-4", pkgver:"0.44.0-3ubuntu2.1")) flag++;
if (ubuntu_check(osver:"16.10", pkgname:"libpoppler-qt5-1", pkgver:"0.44.0-3ubuntu2.1")) flag++;
if (ubuntu_check(osver:"16.10", pkgname:"libpoppler61", pkgver:"0.44.0-3ubuntu2.1")) flag++;
if (ubuntu_check(osver:"16.10", pkgname:"poppler-utils", pkgver:"0.44.0-3ubuntu2.1")) flag++;
if (ubuntu_check(osver:"17.04", pkgname:"libpoppler-cpp0v5", pkgver:"0.48.0-2ubuntu2.1")) flag++;
if (ubuntu_check(osver:"17.04", pkgname:"libpoppler-glib8", pkgver:"0.48.0-2ubuntu2.1")) flag++;
if (ubuntu_check(osver:"17.04", pkgname:"libpoppler-qt4-4", pkgver:"0.48.0-2ubuntu2.1")) flag++;
if (ubuntu_check(osver:"17.04", pkgname:"libpoppler-qt5-1", pkgver:"0.48.0-2ubuntu2.1")) flag++;
if (ubuntu_check(osver:"17.04", pkgname:"libpoppler64", pkgver:"0.48.0-2ubuntu2.1")) flag++;
if (ubuntu_check(osver:"17.04", pkgname:"poppler-utils", pkgver:"0.48.0-2ubuntu2.1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpoppler-cpp0 / libpoppler-cpp0v5 / libpoppler-glib8 / etc");
}

Seebug

bulletinFamilyexploit
description### Summary An exploitable integer overflow vulnerability exists in the JPEG 2000 image parsing functionality of freedesktop.org Poppler 0.53.0. A specially crafted PDF file can lead to an integer overflow causing out of bounds memory overwrite on the heap resulting in potential arbitrary code execution. To trigger this vulnerability, a victim must open the malicious PDF in an application using this library. ### Tested Versions Poppler 0.53 ### Product URLs https://poppler.freedesktop.org/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-190: Integer Overflow or Wraparound ### Details Poppler is a popular open source PDF parser library. It is used by default in many open source PDF viewers. The library itself implements a decoder for JPEG 2000 encoded images instead of relying on a more complete implementation (such as OpenJPEG), although it does warn about this at compile time and strongly suggests OpenJPEG be used. By default, this internal implementation will be used by applications. That is the case with libpoppler binary shipped by latest Ubuntu version which is used by the default PDF viewer, Evince. When processing a PDF file with an embedded JPEG 2000 image (specified with a `JPXDecode` stream) inside, the `JPXStream.cc` source file will be used to render the image. Eventually, the method `readTilePart` will be invoked and it will process the image tile parts according to data in the SOT , SIZ and COD elements. When multiple levels are specified inside a COD element, the code will loop that many times starting at line 1961: ``` for (r = 0; r <= tileComp->nDecompLevels; ++r) { resLevel = &tileComp->resLevels[r]; k = r == 0 ? tileComp->nDecompLevels : tileComp->nDecompLevels - r + 1; resLevel->x0 = jpxCeilDivPow2(tileComp->x0, k); resLevel->y0 = jpxCeilDivPow2(tileComp->y0, k); resLevel->x1 = jpxCeilDivPow2(tileComp->x1, k); resLevel->y1 = jpxCeilDivPow2(tileComp->y1, k); if (r == 0) { resLevel->bx0[0] = resLevel->x0; resLevel->by0[0] = resLevel->y0; resLevel->bx1[0] = resLevel->x1; resLevel->by1[0] = resLevel->y1; } else { resLevel->bx0[0] = jpxCeilDivPow2(tileComp->x0 - (1 << (k-1)), k); resLevel->by0[0] = resLevel->y0; resLevel->bx1[0] = jpxCeilDivPow2(tileComp->x1 - (1 << (k-1)), k); [1] resLevel->by1[0] = resLevel->y1; resLevel->bx0[1] = resLevel->x0; resLevel->by0[1] = jpxCeilDivPow2(tileComp->y0 - (1 << (k-1)), k); resLevel->bx1[1] = resLevel->x1; resLevel->by1[1] = jpxCeilDivPow2(tileComp->y1 - (1 << (k-1)), k); resLevel->bx0[2] = jpxCeilDivPow2(tileComp->x0 - (1 << (k-1)), k); ``` In the above excerpt, it can be observed that zeroth level will be processed in one way, where the rest is processed in a different way involving more arithmetic. The first integer overflow can happen at [1] (and other lines, but we’ll use this one for example). Specifically, if the value `tileComp->x1` is less than 2 to the power of current level being processed, the `tileComp->x1 - (1 << (k-1))` can result in a large value, due to integer overflow. Then, when `jpxCeilDivPow2` macro is executed, in almost all cases, this will result in 0, but a single value of K lets the overflow persist after `jpxCeilDivPow2` call, resulting in a large positive result of the division, instead of 0. This later leads to out of bounds heap access. ``` subband->x1 = resLevel->bx1[sb]; [2] subband->y1 = resLevel->by1[sb]; subband->nXCBs = jpxCeilDivPow2(subband->x1, [3] tileComp->codeBlockW) - jpxFloorDivPow2(subband->x0, tileComp->codeBlockW); ``` In the above code, when `sb` is equal to 0, the overflown value from the previous calculation will end up in `subband->x1` at [2] and will figure into the calculation at [3], effectively setting `subband->nXCBs` to a non-zero value. This further leads to a loop being entered when it shouldn’t, leading to further corruption: ``` for (cbY = 0; cbY < subband->nYCBs; ++cbY) { for (cbX = 0; cbX < subband->nXCBs; ++cbX) { [4] cb->x0 = (sbx0 + cbX) << tileComp->codeBlockW; cb->x1 = cb->x0 + tileComp->cbW; … … for (cbj = 0; cbj < cb->y1 - cb->y0; ++cbj) { for (cbi = 0; cbi < cb->x1 - cb->x0; ++cbi) { cb->coeffs[cbj * tileComp->w + cbi] = 0; [5] } memset(cb->touched, 0, (1 << (tileComp->codeBlockW + tileComp->codeBlockH))); cb->arithDecoder = NULL; cb->stats = NULL; ++cb; ``` Because `subband->nXCBs` is positive, a loop at [4] will be entered, ultimately leading to an out of bounds write at [5]. Most of the indices and offsets that figure in the above code come directly from the JPEG 2000 file giving control over the out of bounds write and leaving space for further memory manipulation. This vulnerability can be triggered with poppler PDF utilities if the library is built to use the internal JPX decoder. As previously mentioned, the official binaries shipped with latest Ubuntu distribution use this decoder, so the vulnerability can be triggered through the `evince-thumbnailer` application. This means that in order to trigger the vulnerability, it is enough for the victim to view the directory where the malicious file is located. ### Crash Information ``` Valgrind output: ==11527== Invalid write of size 4 ==11527== at 0xFC2DD8C: JPXStream::readTilePart() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC2F0B6: JPXStream::readCodestream(unsigned int) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC312D4: JPXStream::readBoxes() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC31715: JPXStream::reset() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xF59C4A1: CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler-glib.so. 8.7.0) ==11527== by 0xFC7A389: Gfx::doImage(Object*, Stream*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC7B6A7: Gfx::opXObject(Object*, int) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC7597D: Gfx::go(bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC75E1F: Gfx::display(Object*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFCBBF44: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so. 58.0.0) ==11527== by 0xF584791: _poppler_page_render(_PopplerPage*, _cairo*, bool, PopplerPrintFlags) (in /usr/lib/x86_64-linux-gnu/libpoppler-glib.so.8.7.0) ==11527== by 0xF355400: ??? (in /usr/lib/x86_64-linux-gnu/evince/4/backends/libpdfdocument.so) ==11527== Address 0x13f6efd4 is 0 bytes after a block of size 4 alloc'd ==11527== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==11527== by 0xFD040CE: gmallocn (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC2D9C9: JPXStream::readTilePart() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC2F0B6: JPXStream::readCodestream(unsigned int) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC312D4: JPXStream::readBoxes() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC31715: JPXStream::reset() (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xF59C4A1: CairoOutputDev::drawImage(GfxState*, Object*, Stream*, int, int, GfxImageColorMap*, bool, int*, bool) (in /usr/lib/x86_64-linux-gnu/ libpoppler-glib.so.8.7.0) ==11527== by 0xFC7A389: Gfx::doImage(Object*, Stream*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC7B6A7: Gfx::opXObject(Object*, int) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC7597D: Gfx::go(bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFC75E1F: Gfx::display(Object*, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.58.0.0) ==11527== by 0xFCBBF44: Page::displaySlice(OutputDev*, double, double, int, bool, bool, int, int, int, int, bool, bool (*)(void*), void*, bool (*)(Annot*, void*), void*, bool) (in /usr/lib/x86_64-linux-gnu/ libpoppler.so.58.0.0) ==11527== ==11527== ==11527== HEAP SUMMARY: ==11527== in use at exit: 604,867 bytes in 6,752 blocks ==11527== total heap usage: 206,871 allocs, 200,119 frees, 188,964,491 bytes allocated ==11527== =11527== LEAK SUMMARY: ==11527== definitely lost: 0 bytes in 0 blocks ==11527== indirectly lost: 0 bytes in 0 blocks ==11527== possibly lost: 2,024 bytes in 25 blocks ==11527== still reachable: 598,779 bytes in 6,699 blocks ==11527== of which reachable via heuristic: ==11527== length64 : 3,752 bytes in 29 blocks ==11527== newarray : 1,920 bytes in 40 blocks ==11527== suppressed: 0 bytes in 0 blocks ==11527== Rerun with --leak-check=full to see details of leaked memory ==11527== ==11527== For counts of detected and suppressed errors, rerun with: -v ==11527== ERROR SUMMARY: 3 errors from 1 contexts (suppressed: 0 from 0) ``` ### Mitigation Mitigation for this vulnerability can involve making sure that the library is compiled to use OpenJPEG library instead of its internal parser. ### Timeline * 2017-05-16 - Vendor Disclosure * 2017-07-07 - Public Release ### CREDIT * Discovered by Aleksandar Nikolic of Cisco Talos.
idSSV:96475
last seen2017-11-19
modified2017-09-14
published2017-09-14
reporterRoot
titlePoppler PDF library JPEG 2000 levels Code Execution Vulnerability(CVE-2017-2820)

Talos

idTALOS-2017-0321
last seen2019-05-29
published2017-07-07
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0321
titlePoppler PDF library JPEG 2000 levels Code Execution Vulnerability

References