Bug#924351: CVE-2018-16647 CVE-2018-16648
On Fri, Mar 15, 2019 at 04:08:15PM +0100, Salvatore Bonaccorso wrote: > Hi > > So the patches are correct, and verified with a build done with > DEB_BUILD_OPTIONS=noopt. But in the regular build the two issues still > can be triggered (so -O2 optimes a check away). > > Ideas? Let's report it upstream. Cheers, Moritz
Bug#924351: CVE-2018-16647 CVE-2018-16648
Hi So the patches are correct, and verified with a build done with DEB_BUILD_OPTIONS=noopt. But in the regular build the two issues still can be triggered (so -O2 optimes a check away). Ideas? Regards, Salvatore
Bug#924351: CVE-2018-16647 CVE-2018-16648
A build with ASAN with the unstable version shows: ASAN_OPTIONS="detect_leaks=0" ./build/debian/mutool convert -o /tmp/out.pdf ~/699685 error: expected 'obj' keyword (0 65535 ?) warning: trying to repair broken xref warning: repairing PDF document warning: ignoring object with invalid object number (0 0 R) warning: ... repeated 2 times ... warning: expected 'endobj' or 'stream' keyword (32 0 R) Corrupt JPEG data: premature end of data segment Corrupt JPEG data: premature end of data segment = ==10393==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500ce4 at pc 0x564ea54db2f0 bp 0x7ffcba056c20 sp 0x7ffcba056c18 READ of size 4 at 0x61500ce4 thread T0 #0 0x564ea54db2ef in pdf_dev_alpha source/pdf/pdf-device.c:288 #1 0x564ea54df408 in pdf_dev_stroke_path source/pdf/pdf-device.c:656 #2 0x564ea5337de2 in fz_stroke_path source/fitz/device.c:133 #3 0x564ea563b356 in pdf_show_path source/pdf/pdf-op-run.c:707 #4 0x564ea5645b80 in pdf_run_S source/pdf/pdf-op-run.c:1775 #5 0x564ea5613e0c in pdf_process_keyword source/pdf/pdf-interpret.c:622 #6 0x564ea5617e5e in pdf_process_stream source/pdf/pdf-interpret.c:937 #7 0x564ea5618833 in pdf_process_contents source/pdf/pdf-interpret.c:1031 #8 0x564ea5525f58 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:100 #9 0x564ea5526462 in pdf_run_page_contents source/pdf/pdf-run.c:129 #10 0x564ea533ce9c in fz_run_page_contents source/fitz/document.c:393 #11 0x564ea533d16d in fz_run_page source/fitz/document.c:425 #12 0x564ea52c5233 in runpage source/tools/muconvert.c:80 #13 0x564ea52c5693 in runrange source/tools/muconvert.c:103 #14 0x564ea52c6110 in muconvert_main source/tools/muconvert.c:185 #15 0x564ea52c4946 in main source/tools/mutool.c:132 #16 0x7fa6a3f2b09a in __libc_start_main ../csu/libc-start.c:308 #17 0x564ea52c4169 in _start (/build/mupdf-1.14.0+ds1/build/debian/mutool+0xfd169) 0x61500ce4 is located 28 bytes to the left of 512-byte region [0x61500d00,0x61500f00) allocated by thread T0 here: #0 0x7fa6a4cf3740 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9740) #1 0x564ea540a500 in fz_realloc_default source/fitz/memory.c:227 #2 0x564ea5409b50 in do_scavenging_realloc source/fitz/memory.c:43 #3 0x564ea540a127 in fz_resize_array source/fitz/memory.c:172 #4 0x564ea54dc51d in pdf_dev_push_new_buf source/pdf/pdf-device.c:396 #5 0x564ea54dc9db in pdf_dev_push source/pdf/pdf-device.c:414 #6 0x564ea54df51a in pdf_dev_clip_path source/pdf/pdf-device.c:671 #7 0x564ea5338152 in fz_clip_path source/fitz/device.c:154 #8 0x564ea563c419 in pdf_show_path source/pdf/pdf-op-run.c:786 #9 0x564ea564316a in pdf_run_xobject source/pdf/pdf-op-run.c:1425 #10 0x564ea5648c17 in pdf_run_Do_form source/pdf/pdf-op-run.c:2141 #11 0x564ea5610b8c in pdf_process_Do source/pdf/pdf-interpret.c:332 #12 0x564ea56165c4 in pdf_process_keyword source/pdf/pdf-interpret.c:762 #13 0x564ea5617e5e in pdf_process_stream source/pdf/pdf-interpret.c:937 #14 0x564ea5618833 in pdf_process_contents source/pdf/pdf-interpret.c:1031 #15 0x564ea5525f58 in pdf_run_page_contents_with_usage source/pdf/pdf-run.c:100 #16 0x564ea5526462 in pdf_run_page_contents source/pdf/pdf-run.c:129 #17 0x564ea533ce9c in fz_run_page_contents source/fitz/document.c:393 #18 0x564ea533d16d in fz_run_page source/fitz/document.c:425 #19 0x564ea52c5233 in runpage source/tools/muconvert.c:80 #20 0x564ea52c5693 in runrange source/tools/muconvert.c:103 #21 0x564ea52c6110 in muconvert_main source/tools/muconvert.c:185 #22 0x564ea52c4946 in main source/tools/mutool.c:132 #23 0x7fa6a3f2b09a in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow source/pdf/pdf-device.c:288 in pdf_dev_alpha Shadow bytes around the buggy address: 0x0c2a7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fff8180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c2a7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa 0x0c2a7fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone:
Bug#924351: CVE-2018-16647 CVE-2018-16648
Package: mupdf Version: 1.14.0+ds1-3 Severity: grave Tags: security CVE-2018-16648: https://bugs.ghostscript.com/show_bug.cgi?id=699685 http://www.ghostscript.com/cgi-bin/findgit.cgi?38f883fe129a5e89306252a4676eaaf4bc968824 CVE-2018-16647: https://bugs.ghostscript.com/show_bug.cgi?id=699686 http://www.ghostscript.com/cgi-bin/findgit.cgi?351c99d8ce23bbf7099dbd52771a095f67e45a2c Cheers, Moritz