Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31566: Heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()) · Issue #70 · podofo/podofo

Podofo v0.10.0 was discovered to contain a heap-use-after-free via the component PoDoFo::PdfEncrypt::IsMetadataEncrypted().

CVE
Open in Source
#ubuntu#linux#c++#pdf

We found a heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()).

Command Input

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

poc_file are attached.

Sanitizer Dump

==3903368==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000300 at pc 0x00000071995b bp 0x7ffffefd2300 sp 0x7ffffefd22f8
READ of size 1 at 0x613000000300 thread T0
    #0 0x71995a in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47
    #1 0x717ec2 in PoDoFo::PdfParserObject::parseStream() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:219:45
    #2 0x716a06 in PoDoFo::PdfParserObject::DelayedLoadStreamImpl() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:90:13
    #3 0x69c223 in PoDoFo::PdfObject::delayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:359:35
    #4 0x699211 in PoDoFo::PdfObject::DelayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:351:5
    #5 0x69a130 in PoDoFo::PdfObject::Write(PoDoFo::OutputStream&, PoDoFo::PdfWriteFlags, PoDoFo::PdfEncrypt const*, PoDoFo::charbuff_t<void>&) const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:212:5
    #6 0x756b85 in PoDoFo::PdfWriter::WritePdfObjects(PoDoFo::OutputStreamDevice&, PoDoFo::PdfIndirectObjectList const&, PoDoFo::PdfXRef&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:175:18
    #7 0x753a27 in PoDoFo::PdfWriter::Write(PoDoFo::OutputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:97:9
    #8 0x67467b in PoDoFo::PdfMemDocument::Save(PoDoFo::OutputStreamDevice&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:249:16
    #9 0x67426f in PoDoFo::PdfMemDocument::Save(std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:233:11
    #10 0x4dfe62 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:49:9
    #11 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
    #12 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #13 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)

0x613000000300 is located 256 bytes inside of 352-byte region [0x613000000200,0x613000000360)
freed by thread T0 here:
    #0 0x4ddb3d in operator delete(void*) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:160:3
    #1 0x5c0821 in PoDoFo::PdfEncryptAESV3::~PdfEncryptAESV3() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:623:7
    #2 0x4e1cd6 in std::default_delete<PoDoFo::PdfEncrypt>::operator()(PoDoFo::PdfEncrypt*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
    #3 0x6778a7 in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::reset(PoDoFo::PdfEncrypt*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
    #4 0x6768ec in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::operator=(std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:307:2
    #5 0x675e46 in PoDoFo::PdfMemDocument::SetEncrypted(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfPermissions, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfKeyLength) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:321:15
    #6 0x4dfe4b in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:48:9
    #7 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
    #8 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
    #1 0x5a387f in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:43
    #2 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
    #3 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
    #4 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
    #5 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
    #6 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
    #7 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
    #8 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
    #9 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const
Shadow bytes around the buggy address:
  0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8030: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c267fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c267fff8060:[fd]fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c267fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c267fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3903368==ABORTING

Environment

  • OS: Ubuntu 20.04.1
  • clang:12.0.0
  • podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc_file.zip

Related news

Gentoo Linux Security Advisory 202405-33

Gentoo Linux Security Advisory 202405-33 - Multiple vulnerabilities have been discovered in PoDoFo, the worst of which could lead to code execution. Versions greater than or equal to 0.10.1 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE