Hello zyx, hello all, > zyx <z...@gmx.us> has written on 4 February 2018 at 16:10: > > > On Fri, 2018-01-26 at 07:34 +0100, zyx wrote: > > I see. It looks like I did something wrong when testing the change. > > When trying once again now I can confirm what you see, the change > > does > > fix the CVE. I do not know what I did wrong the last time, I'm sorry > > about that. > > > > I committed the patch as revision 1872: > > http://sourceforge.net/p/podofo/code/1872 > > Hi, > I reverted the main part of the above change, because it causes > use-after-free in test/unit/podofo-test, more details below. I left
In the Debian Bug Tracking System [1] Matthias Brinke contributed a patch which is a correction for the older one, to fix this bug. Of that patch the first hunk is of interest here, the others are either already in, tiny mostly-docs changes or would require discussion. I've contacted him to get the test log, checked it (fine), whereas my reproduction attempt with the old patch only gave "uncaught exception of unknown type" in the test output for PagesTreeTest::testDeleteAllCustom. Of course, that's still bad, and I would've written the fix the same. Disclosure: The patch is from a friend, who I trust. Feel free to revert if you would've rejected it (the CONTRIBUTIONS.txt in the svn trunk says you should "announce or discuss" changes, this is my announcement for the commit of the correction patch). > most of the (more or less unrelated) changes of the above change also > due to conflicting changes in the sources which happened meanwhile. Rather "less", they were needed to make the diagnostic output work (would otherwise have a use-after-free there also, breaking output for me). > > That means that CVE-2017-8054 is not fixed since revision 1881: > http://sourceforge.net/p/podofo/code/1881 If nobody beats me for the time to the commit, it will be fixed again from svn r1882 on: http://sourceforge.net/p/podofo/code/1882 > > Bye, > zyx [typo in quoted text fixed ] > > P.S.: the reported use-after-free was due to rVar holding the array it > had been freeing inside the operator=(). Info from Address Sanitizer: Best regards, mabri [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860995#34 > > ==9812==ERROR: AddressSanitizer: heap-use-after-free on address > 0x606000e23ca0 at pc 0x7f53c345914a bp 0x7ffeb1f284c0 sp 0x7ffeb1f284b0 > READ of size 8 at 0x606000e23ca0 thread T0 > #0 0x7f53c3459149 in PoDoFo::PdfVariant::operator=(PoDoFo::PdfVariant > const&) ..../src/base/PdfVariant.cpp:346 > #1 0x7f53c37d8c91 in PoDoFo::PdfPagesTree::GetPageNodeFromArray(int, > PoDoFo::PdfArray const&, std::deque<PoDoFo::PdfObject*, > std::allocator<PoDoFo::PdfObject*> >&) ..../src/doc/PdfPagesTree.cpp:491 > ... snip ... > > SUMMARY: AddressSanitizer: heap-use-after-free > ..../src/base/PdfVariant.cpp:346 in > PoDoFo::PdfVariant::operator=(PoDoFo::PdfVariant const&) > P.S. Only the mentioned line 491 needed an insertion compared to what was reverted, as you'll see from the commit. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
