Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3.

We found multiple heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3).

**Command Input**

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

All poc\_file are attached.

**Sanitizer Dump**

    ==3904316==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000e0b at pc 0x0000004ab577 bp 0x7ffe4a6cc310 sp 0x7ffe4a6cbad8
    READ of size 32 at 0x603000000e0b thread T0
        #0 0x4ab576 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x5bcdd7 in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, PoDoFo::PdfString, PoDoFo::PdfAESV3Revision) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1908:5
        #2 0x5a39a5 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:47
        #3 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #4 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #5 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #6 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #7 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #8 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
        #9 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #10 0x7fc7de7ed082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)
    
    0x603000000e0b is located 0 bytes to the right of 27-byte region [0x603000000df0,0x603000000e0b)
    allocated by thread T0 here:
        #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x7fc7dec9d87f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
        #2 0x7d5c2a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c067fff8170: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa
      0x0c067fff8180: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
      0x0c067fff8190: 00 fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
      0x0c067fff81a0: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa
      0x0c067fff81b0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
    =>0x0c067fff81c0: 00[03]fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
      0x0c067fff81d0: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
      0x0c067fff81e0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa 00 00
      0x0c067fff81f0: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
      0x0c067fff8200: 00 00 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa
      0x0c067fff8210: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3904316==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_files.zip

CVE-2023-31567: Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp in PoDoFo::PdfEncryptAESV3::PdfEncryptAESV3) · Issue #71 · podofo/podofo

Podofo v0.10.0 was discovered to contain a heap-use-after-free via the component PoDoFo::PdfEncrypt::IsMetadataEncrypted().

We found a heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()).

**Command Input**

podofoencrypt -rc4v2 -u 1232321 -o 24 poc_file /dev/null

poc\_file are attached.

**Sanitizer Dump**

    ==3903368==ERROR: AddressSanitizer: heap-use-after-free on address 0x613000000300 at pc 0x00000071995b bp 0x7ffffefd2300 sp 0x7ffffefd22f8
    READ of size 1 at 0x613000000300 thread T0
        #0 0x71995a in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47
        #1 0x717ec2 in PoDoFo::PdfParserObject::parseStream() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:219:45
        #2 0x716a06 in PoDoFo::PdfParserObject::DelayedLoadStreamImpl() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParserObject.cpp:90:13
        #3 0x69c223 in PoDoFo::PdfObject::delayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:359:35
        #4 0x699211 in PoDoFo::PdfObject::DelayedLoadStream() const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:351:5
        #5 0x69a130 in PoDoFo::PdfObject::Write(PoDoFo::OutputStream&, PoDoFo::PdfWriteFlags, PoDoFo::PdfEncrypt const*, PoDoFo::charbuff_t<void>&) const /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfObject.cpp:212:5
        #6 0x756b85 in PoDoFo::PdfWriter::WritePdfObjects(PoDoFo::OutputStreamDevice&, PoDoFo::PdfIndirectObjectList const&, PoDoFo::PdfXRef&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:175:18
        #7 0x753a27 in PoDoFo::PdfWriter::Write(PoDoFo::OutputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfWriter.cpp:97:9
        #8 0x67467b in PoDoFo::PdfMemDocument::Save(PoDoFo::OutputStreamDevice&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:249:16
        #9 0x67426f in PoDoFo::PdfMemDocument::Save(std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfSaveOptions) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:233:11
        #10 0x4dfe62 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:49:9
        #11 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #12 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #13 0x430f6d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofoencrypt+0x430f6d)
    
    0x613000000300 is located 256 bytes inside of 352-byte region [0x613000000200,0x613000000360)
    freed by thread T0 here:
        #0 0x4ddb3d in operator delete(void*) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:160:3
        #1 0x5c0821 in PoDoFo::PdfEncryptAESV3::~PdfEncryptAESV3() /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:623:7
        #2 0x4e1cd6 in std::default_delete<PoDoFo::PdfEncrypt>::operator()(PoDoFo::PdfEncrypt*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2
        #3 0x6778a7 in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::reset(PoDoFo::PdfEncrypt*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4
        #4 0x6768ec in std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >::operator=(std::unique_ptr<PoDoFo::PdfEncrypt, std::default_delete<PoDoFo::PdfEncrypt> >&&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:307:2
        #5 0x675e46 in PoDoFo::PdfMemDocument::SetEncrypted(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfPermissions, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfKeyLength) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:321:15
        #6 0x4dfe4b in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:48:9
        #7 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #8 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    previously allocated by thread T0 here:
        #0 0x4dd2dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x5a387f in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:586:43
        #2 0x6f2e88 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #3 0x6f09f3 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #4 0x67071e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #5 0x671fcd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #6 0x671bdb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #7 0x4dfd57 in encrypt(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&, PoDoFo::PdfEncryptAlgorithm, PoDoFo::PdfPermissions) /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:19:9
        #8 0x4e1112 in main /root/target/Invariants/podofo-0.10.0/tools/podofoencrypt/podofoencrypt.cpp:200:9
        #9 0x7f70c1549082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted() const
    Shadow bytes around the buggy address:
      0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c267fff8030: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c267fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c267fff8060:[fd]fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c267fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3903368==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_file.zip

CVE-2023-31566: Heap-use-after-free in podofo 0.10.0(main/PdfEncrypt.h:352:47 in PoDoFo::PdfEncrypt::IsMetadataEncrypted()) · Issue #70 · podofo/podofo

xpdf pdfimages v4.04 was discovered to contain a stack overflow in the component Catalog::readEmbeddedFileTree(Object*). This vulnerability allows attackers to cause a Denial of Service (DoS).

CVE-2023-31557: A stack-overflow in xpdf4.04 - forum.xpdfreader.com

Podofo v0.10.0 was discovered to contain a heap buffer overflow via the component PoDoFo::PdfEncryptRC4::PdfEncryptRC4.

We found a heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4).

**Command Input**

podofopdfinfo poc_file 

poc\_file is attached.

**Sanitizer Dump**

    ==3975233==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000122f at pc 0x0000004ab677 bp 0x7ffc5060df20 sp 0x7ffc5060d6e8
    READ of size 32 at 0x60300000122f thread T0
        #0 0x4ab676 in __asan_memcpy /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x64570f in PoDoFo::PdfEncryptRC4::PdfEncryptRC4(PoDoFo::PdfString, PoDoFo::PdfString, PoDoFo::PdfPermissions, int, PoDoFo::PdfEncryptAlgorithm, int, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:1132:5
        #2 0x638356 in PoDoFo::PdfEncrypt::CreateFromObject(PoDoFo::PdfObject const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfEncrypt.cpp:556:43
        #3 0x79b3a8 in PoDoFo::PdfParser::ReadObjects(PoDoFo::InputStreamDevice&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:631:29
        #4 0x798f13 in PoDoFo::PdfParser::Parse(PoDoFo::InputStreamDevice&, bool) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfParser.cpp:83:9
        #5 0x71c42e in PoDoFo::PdfMemDocument::loadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:148:12
        #6 0x71dcdd in PoDoFo::PdfMemDocument::LoadFromDevice(std::shared_ptr<PoDoFo::InputStreamDevice> const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:137:5
        #7 0x71d8eb in PoDoFo::PdfMemDocument::Load(std::basic_string_view<char, std::char_traits<char> > const&, std::basic_string_view<char, std::char_traits<char> > const&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfMemDocument.cpp:119:5
        #8 0x4e1be9 in PdfInfoHelper::PdfInfoHelper(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/pdfinfo.cpp:16:12
        #9 0x4e06b7 in main /root/target/Invariants/podofo-0.10.0/tools/podofopdfinfo/podofopdfinfo.cpp:94:23
        #10 0x7f5ed7b54082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #11 0x43106d in _start (/root/target/Invariants/podofo-0.10.0/build_clang/target/podofopdfinfo+0x43106d)
    
    0x60300000122f is located 0 bytes to the right of 31-byte region [0x603000001210,0x60300000122f)
    allocated by thread T0 here:
        #0 0x4dd3dd in operator new(unsigned long) /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
        #1 0x7f5ed800487f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::reserve(unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14387f)
        #2 0x87564a in PoDoFo::StandardStreamDevice::readChar(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/StreamDevice.cpp:290:12
        #3 0x868d29 in PoDoFo::InputStream::Read(char&) /root/target/Invariants/podofo-0.10.0/src/podofo/auxiliary/InputStream.cpp:53:12
        #4 0x7e319a in readHexString(PoDoFo::InputStreamDevice&, PoDoFo::charbuff_t<void>&) /root/target/Invariants/podofo-0.10.0/src/podofo/main/PdfTokenizer.cpp:801:16
    LLVMSymbolizer: error reading file: No such file or directory
        #5 0x7ffc50612342  ([stack]+0x20342)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/test/fuzzing_python/llvm-project-llvmorg-12.0.0/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c067fff81f0: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8200: fd fd fd fa fa fa 00 00 00 fa fa fa fd fd fd fa
      0x0c067fff8210: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8220: 00 fa fa fa fd fd fd fa fa fa 00 00 00 fa fa fa
      0x0c067fff8230: 00 00 00 fa fa fa 00 00 00 fa fa fa fd fd fd fa
    =>0x0c067fff8240: fa fa 00 00 00[07]fa fa 00 00 00 fa fa fa 00 00
      0x0c067fff8250: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
      0x0c067fff8260: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 00
      0x0c067fff8270: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 00 00
      0x0c067fff8280: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
      0x0c067fff8290: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3975233==ABORTING
    

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

we built podofo with AddressSanitizer (ASAN) .

cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="-O0 -fsanitize=address" -DCMAKE_CXX_FLAGS="-O0 -fsanitize=address"

poc\_file.zip

CVE-2023-31568: Heap-buffer-overflow in podofo 0.10.0(main/PdfEncrypt.cpp:1132:5 in PoDoFo::PdfEncryptRC4::PdfEncryptRC4) · Issue #72 · podofo/podofo

podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfDictionary::findKeyParent.

CVE-2023-31556: [podofo-0.10.0]Stack-Overflow · Issue #66 · podofo/podofo

xpdf pdfimages v4.04 was discovered to contain a stack overflow in the component Catalog::readPageLabelTree2(Object*). This vulnerability allows attackers to cause a Denial of Service (DoS).

CVE-2023-31554: A stack-overflow in pdfimages xpdf4.04

podofoinfo 0.10.0 was discovered to contain a segmentation violation via the function PoDoFo::PdfObject::DelayedLoad.

When using podofopdfinfo to parse a PDF file, a SIGSEGV error occurs. By debugging with gdb, it was found that the error occurred at line 163 in podofo-0.10.0/src/podofo/main/PdfObject.cpp:

if (m\_IsDelayedLoadDone)

When checking the value of m\_IsDelayedLoadDone with "p" command, it was found that the value was 0x31. As a boolean value, it should only be assigned either 0 or 1, but not any other numbers. Previously, PoDoFo::PdfObject::DelayedLoad was also called and executed normally, but calling this function in the getString() function would result in a failure. The specific gdb bt stack trace is as follows.

**Command Input**

podofopdfinfo poc\_file

poc\_file are attached.

**Environment**

*   OS: Ubuntu 20.04.1
*   clang:12.0.0
*   podofo:0.10.0

poc\_file.zip

CVE-2023-31555: [podofo-0.10.0]a SIGSEGV error occurs · Issue #67 · podofo/podofo

Ubuntu Security Notice 6064-1 - It was discovered that SQL parse incorrectly handled certain regular expression. An attacker could possibly use this issue to cause a denial of service.

=========================================================================  
Ubuntu Security Notice USN-6064-1  
May 10, 2023

sqlparse vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

SQL parse could be made to denial of service if it received  
a specially crafted regular expression.

Software Description:  
- sqlparse: documentation for non-validating SQL parser in Python

Details:

It was discovered that SQL parse incorrectly handled certain regular expression.  
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  python3-sqlparse                0.4.2-1ubuntu0.23.04.1

Ubuntu 22.10:  
  python3-sqlparse                0.4.2-1ubuntu0.22.10.1

Ubuntu 22.04 LTS:  
  python3-sqlparse                0.4.2-1ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
  python3-sqlparse                0.2.4-3ubuntu0.1

Ubuntu 18.04 LTS:  
  python-sqlparse                 0.2.4-0.1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6064-1  
  CVE-2023-30608

Package Information:  
  https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.23.04.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.22.10.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.4.2-1ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.2.4-3ubuntu0.1  
  https://launchpad.net/ubuntu/+source/sqlparse/0.2.4-0.1ubuntu0.1

Ubuntu Security Notice USN-6064-1

Ubuntu Security Notice 6068-1 - David Marchand discovered that Open vSwitch incorrectly handled IP packets with the protocol set to 0. A remote attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6068-1  
May 10, 2023

openvswitch vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Open vSwitch could be made to stop forwarding packets if it received  
specially crafted network traffic.

Software Description:  
- openvswitch: Ethernet virtual switch

Details:

David Marchand discovered that Open vSwitch incorrectly handled IP packets  
with the protocol set to 0. A remote attacker could possibly use this issue  
to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   openvswitch-common              3.0.3-0ubuntu0.22.10.3  
   python3-openvswitch             3.0.3-0ubuntu0.22.10.3

Ubuntu 22.04 LTS:  
   openvswitch-common              2.17.5-0ubuntu0.22.04.2  
   python3-openvswitch             2.17.5-0ubuntu0.22.04.2

Ubuntu 20.04 LTS:  
   openvswitch-common              2.13.8-0ubuntu1.2  
   python3-openvswitch             2.13.8-0ubuntu1.2

Ubuntu 18.04 LTS:  
   openvswitch-common              2.9.8-0ubuntu0.18.04.5  
   python-openvswitch              2.9.8-0ubuntu0.18.04.5  
   python3-openvswitch             2.9.8-0ubuntu0.18.04.5

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6068-1  
   CVE-2023-1668

Package Information:  
   https://launchpad.net/ubuntu/+source/openvswitch/3.0.3-0ubuntu0.22.10.3  
   https://launchpad.net/ubuntu/+source/openvswitch/2.17.5-0ubuntu0.22.04.2  
   https://launchpad.net/ubuntu/+source/openvswitch/2.13.8-0ubuntu1.2  
   https://launchpad.net/ubuntu/+source/openvswitch/2.9.8-0ubuntu0.18.04.5

Ubuntu Security Notice USN-6068-1

Ubuntu Security Notice 6067-1 - David Sinquin discovered that OpenStack Neutron incorrectly handled the default Open vSwitch firewall rules. An attacker could possibly use this issue to impersonate the IPv6 addresses of other systems on the network. This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Jake Yip and Justin Mammarella discovered that OpenStack Neutron incorrectly handled the linuxbridge driver when ebtables-nft is being used. An attacker could possibly use this issue to impersonate the hardware address of other systems on the network. This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.

==========================================================================  
Ubuntu Security Notice USN-6067-1  
May 10, 2023

neutron vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in OpenStack Neutron.

Software Description:  
- neutron: OpenStack Virtual Network Service

Details:

David Sinquin discovered that OpenStack Neutron incorrectly handled the  
default Open vSwitch firewall rules. An attacker could possibly use this  
issue to impersonate the IPv6 addresses of other systems on the network.  
This issue only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.  
(CVE-2021-20267)

Jake Yip and Justin Mammarella discovered that OpenStack Neutron  
incorrectly handled the linuxbridge driver when ebtables-nft is being  
used. An attacker could possibly use this issue to impersonate the hardware  
addresss of other systems on the network. This issue only affected Ubuntu  
18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-38598)

Pavel Toporkov discovered that OpenStack Neutron incorrectly handled  
extra_dhcp_opts values. An attacker could possibly use this issue to  
reconfigure dnsmasq. This issue only affected Ubuntu 18.04 LTS, and Ubuntu  
20.04 LTS. (CVE-2021-40085)

Slawek Kaplonski discovered that OpenStack Neutron incorrectly handled the  
routes middleware. An attacker could possibly use this issue to cause the  
API worker to consume memory, leading to a denial of service. This issue  
only affected Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2021-40797)

It was discovered that OpenStack Neutron incorrectly handled certain  
queries. A remote authenticated user could possibly use this issue to cause  
resource consumption, leading to a denial of service. (CVE-2022-3277)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   python3-neutron                 2:20.3.0-0ubuntu1.1

Ubuntu 20.04 LTS:  
   python3-neutron                 2:16.4.2-0ubuntu6.2

Ubuntu 18.04 LTS:  
   python-neutron                  2:12.1.1-0ubuntu8.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6067-1  
   CVE-2021-20267, CVE-2021-38598, CVE-2021-40085, CVE-2021-40797,  
   CVE-2022-3277

Package Information:  
   https://launchpad.net/ubuntu/+source/neutron/2:20.3.0-0ubuntu1.1  
   https://launchpad.net/ubuntu/+source/neutron/2:16.4.2-0ubuntu6.2  
   https://launchpad.net/ubuntu/+source/neutron/2:12.1.1-0ubuntu8.1

Tag

#ubuntu