Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589826 (CVE-2016-6265) - <app-text/mupdf-1.10a: use-after-free (CVE-2016-6265)
Summary: <app-text/mupdf-1.10a: use-after-free (CVE-2016-6265)
Status: RESOLVED FIXED
Alias: CVE-2016-6265
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor with 1 vote (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-27 09:30 UTC by Agostino Sarubbo
Modified: 2017-02-19 12:50 UTC (History)
1 user (show)

See Also:
Package list:
=app-text/mupdf-1.10a =dev-lang/mujs-0_p20161202 arm ppc =app-text/llpp-23 amd64 ppc x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-07-27 09:30:38 UTC 
From ${URL} :

Hi,

I disclosed a UAF in MuPDF, you can find the reproducer and report here:

http://bugs.ghostscript.com/show_bug.cgi?id=696941

I put a partially symbolicated ASAN report here for reference

Marco

-----

➜  mupdf ./mupdf_debug/build/debug/mupdf-x11 mucrash1.pdf 2>&1 |
asan_symbolize-3.8
warning: broken xref section, proceeding anyway.
=================================================================
==24575==ERROR: AddressSanitizer: heap-use-after-free on address
0x61700000fda8 at pc 0x0000006b0a54 bp 0x7ffcb040dbb0 sp 0x7ffcb040dba8
READ of size 4 at 0x61700000fda8 thread T0
    #0 0x6b0a53 in pdf_load_xref
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:1188
    #1 0x6b0a53 in ?? ??:0
    #2 0x6aac73 in pdf_init_document
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:1440
    #3 0x6aac73 in ?? ??:0
    #4 0x6ad4ae in pdf_open_document
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:2347
    #5 0x6ad4ae in ?? ??:0
    #6 0x5183d2 in fz_open_document
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/document.c:129
    #7 0x5183d2 in ?? ??:0
    #8 0x4fbb2b in pdfapp_open_progressive
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/pdfapp.c:317
    #9 0x4fbb2b in ?? ??:0
    #10 0x4fb708 in pdfapp_open
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/pdfapp.c:213
    #11 0x4fb708 in ?? ??:0
    #12 0x4f01df in main
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/platform/x11/x11_main.c:888
    #13 0x4f01df in ?? ??:0
    #14 0x7f6b723ef82f in __libc_start_main
/build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x7f6b723ef82f in ?? ??:0
    #16 0x41ad98 in _start ??:?
    #17 0x41ad98 in ?? ??:0

0x61700000fda8 is located 296 bytes inside of 768-byte region
[0x61700000fc80,0x61700000ff80)
freed by thread T0 here:
    #0 0x4bad40 in __interceptor_cfree.localalias.0 asan_malloc_linux.cc.o:?
    #1 0x4bad40 in ?? ??:0
    #2 0x516018 in fz_free_default
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/memory.c:225
    #3 0x516018 in ?? ??:0

previously allocated by thread T0 here:
    #0 0x4baec8 in malloc ??:?
    #1 0x4baec8 in ?? ??:0
    #2 0x515f68 in fz_malloc_default
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/fitz/memory.c:213
    #3 0x515f68 in ?? ??:0
    #4 0x6b9aae in pdf_xref_find_subsection
/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/source/pdf/pdf-xref.c:740
    #5 0x6b9aae in ?? ??:0

SUMMARY: AddressSanitizer: heap-use-after-free
(/media/bob/e4109b52-3574-43a8-b95d-33b3494128de/misc/mupdf/mupdf_debug/build/debug/mupdf-x11+0x6b0a53)
Shadow bytes around the buggy address:
  0x0c2e7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fff9f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e7fff9fb0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24575==ABORTING


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 afarah 2016-10-12 01:37:02 UTC 
There's a fix upstream for three months now.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-11-26 01:39:02 UTC 
CVE-2016-6265 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6265):
  Use-after-free vulnerability in the pdf_load_xref function in pdf/pdf-xref.c
  in MuPDF allows remote attackers to cause a denial of service (crash) via a
  crafted PDF file.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-11-26 01:45:51 UTC 
Fixed in version 1.10 upstream.
Comment 4 charles17 2016-12-20 07:37:10 UTC 
See https://github.com/gentoo/gentoo/pull/3108/
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-01-23 00:34:01 UTC 
Version containing fixes (1.10a) is in tree now.

commit 290927105365ff1f2374f383d7135ecf17f41cb1
Author: Michael Weber <xmw@gentoo.org>
Date:   Mon Jan 23 01:31:02 2017 +0100

    app-text/mupdf: Version bump (https://github.com/gentoo/gentoo/pull/3108, thanks charIes17).
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-23 14:48:33 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-23 14:49:05 UTC 
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-24 05:27:41 UTC 
Stable for HPPA PPC64.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-26 11:01:18 UTC 
ppc stable
Comment 10 Michael Weber (RETIRED) gentoo-dev 2017-02-01 07:43:01 UTC 
@arm: ping! Users are getting edgy, https://github.com/gentoo/gentoo/pull/3727
Comment 11 Markus Meier gentoo-dev 2017-02-05 16:58:55 UTC 
arm stable, all arches done.
Comment 12 Michael Weber (RETIRED) gentoo-dev 2017-02-05 17:26:07 UTC 
commit 2af6b2174d988ef90e8178a6c13839d33af70f35
Author: Michael Weber <xmw@gentoo.org>
Date:   Sun Feb 5 18:24:55 2017 +0100

    app-text/mupdf: Remove old versions (bug 600674, 590480, 589826).
    
    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-02-05 22:38:06 UTC 
added to GLSA.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-02-19 12:50:45 UTC 
This issue was resolved and addressed in
 GLSA 201702-12 at https://security.gentoo.org/glsa/201702-12
by GLSA coordinator Thomas Deutschmann (whissi).