Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 780489 (CVE-2021-20308, CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191, CVE-2021-23206, CVE-2021-26252, CVE-2021-26259, CVE-2021-26948, CVE-2021-40985, CVE-2021-43579, CVE-2022-0534, CVE-2022-24191, CVE-2022-27114, CVE-2022-28085) - app-text/htmldoc: multiple vulnerabilities
Summary: app-text/htmldoc: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2021-20308, CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191, CVE-2021-23206, CVE-2021-26252, CVE-2021-26259, CVE-2021-26948, CVE-2021-40985, CVE-2021-43579, CVE-2022-0534, CVE-2022-24191, CVE-2022-27114, CVE-2022-28085
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/michaelrsweet/html...
Whiteboard: B2 [ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-06 01:58 UTC by John Helmert III
Modified: 2022-05-12 02:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-04-06 01:58:44 UTC
CVE-2021-20308:

Integer overflow in the htmldoc 1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service that is similar to CVE-2017-9181.
Comment 1 John Helmert III gentoo-dev Security 2021-04-06 21:52:05 UTC
Actually, looks like there is no released version available.
Comment 2 John Helmert III gentoo-dev Security 2021-05-23 03:18:00 UTC
Numerous vulnerabilities fixed in 1.9.12:


    Fixed a crash bug with "data:" URIs and EPUB output (Issue #410)
    Fixed crash bugs for books (Issue #412, Issue #414)
    Fixed a number-up crash bug (Issue #413)
    Fixed JPEG error handling (Issue #415)
    Fixed crash bugs with bogus table attributes (Issue #416, Issue #417)
    Fixed a crash bug with malformed URIs (Issue #418)
    Fixed a crash bug with malformed GIF files (Issue #423)
    Fixed a crash bug with empty titles (Issue #425)
    Fixed crash bugs with bogus text (Issue #426, Issue #429, Issue #430,
    Issue #431)
    Fixed some issues reported by Coverity.
    Removed the bundled libjpeg, libpng, and zlib.
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:23:19 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:31:39 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:39:36 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:47:46 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:03:42 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:12:01 UTC
Package list is empty or all packages have requested keywords.
Comment 9 John Helmert III gentoo-dev Security 2021-11-03 19:18:00 UTC
CVE-2021-40985:

Buffer overflow vulnerability in htmldoc before 1.9.12, allows attackers to cause a denial of service via a crafted BMP image to image_load_bmp.
Comment 10 John Helmert III gentoo-dev Security 2021-11-05 20:17:26 UTC
More in 1.9.13:

- Fixed an issue with large values for roman numerals and letters in headings
  (Issue #433)
- Fixed a crash bug when a HTML comment contains an invalid nul character
  (Issue #439)
- Fixed a crash bug with bogus BMP images (Issue #444)
- Fixed a potential heap overflow bug with bogus GIF images (Issue #451)
- Fixed a potential stack overflow bug with bogus BMP images (Issue #453)
Comment 11 filip ambroz 2022-01-10 17:51:59 UTC
CVE-2021-43579

A stack-based buffer overflow in image_load_bmp() in HTMLDOC <= 1.9.13 results in remote code execution if the victim converts an HTML document linking to a crafted BMP file.

URLs:
https://nvd.nist.gov/vuln/detail/CVE-2021-43579
https://github.com/michaelrsweet/htmldoc/issues/456

Fixed in:
HTMLDOC 1.9.14 is a bug fix release. Changes include:

    BMP image support is now deprecated and will be removed in a future
    release of HTMLDOC.
    Fixed a potential stack overflow bug with GIF images.
    Fixed the PDF creation date (Issue #455)
    Fixed a potential stack overflow bug with BMP images (Issue #456)
    Fixed a compile issue when libpng was not available (Issue #458)
Comment 12 John Helmert III gentoo-dev Security 2022-02-05 20:14:13 UTC
More in 1.9.15:

- Fixed a potential heap overflow bug with GIF images (Issue #461)
- Fixed a potential double-free bug with PNG images (Issue #462)
- Fixed a potential stack overflow bug with GIF images (Issue #463)
- Fixed a potential heap underflow bug with empty attributes (Issue #464)
- Fixed a potential stack overflow bug with BMP images (Issue #466)
- Fixed a potential heap overflow bug with the table-of-contents (Issue #467)
- Fixed a potential heap overflow bug with headings (Issue #468)
- Fixed a potential stack overflow bug with GIF images (Issue #470)
Comment 13 John Helmert III gentoo-dev Security 2022-02-10 22:51:02 UTC
CVE-2022-0534 (https://github.com/michaelrsweet/htmldoc/issues/463):

A vulnerability was found in htmldoc version 1.9.15 where the stack out-of-bounds read takes place in gif_get_code() and occurs when opening a malicious GIF file, which can result in a crash (segmentation fault).

Contrary to the CVE description, the patch is in 1.9.15.
Comment 14 John Helmert III gentoo-dev Security 2022-02-24 22:20:54 UTC
CVE-2021-26252 (https://bugzilla.redhat.com/show_bug.cgi?id=1967009):

A flaw was found in htmldoc in v1.9.12. Heap buffer overflow in pspdf_prepare_page(),in ps-pdf.cxx may lead to execute arbitrary code and denial of service.
Comment 15 John Helmert III gentoo-dev Security 2022-03-03 14:30:12 UTC
CVE-2021-23180 (https://ubuntu.com/security/CVE-2021-23180):

A flaw was found in htmldoc in v1.9.12 and before. Null pointer dereference in file_extension(),in file.c may lead to execute arbitrary code and denial of service.

CVE-2021-23191 (https://ubuntu.com/security/CVE-2021-23191):

A security issue was found in htmldoc v1.9.12 and before. A NULL pointer dereference in the function image_load_jpeg() in image.cxx may result in denial of service.

CVE-2021-23206 (https://ubuntu.com/security/CVE-2021-23206):

A flaw was found in htmldoc in v1.9.12 and prior. A stack buffer overflow in parse_table() in ps-pdf.cxx may lead to execute arbitrary code and denial of service.
Comment 16 John Helmert III gentoo-dev Security 2022-03-03 14:31:19 UTC
(In reply to John Helmert III from comment #15)
> CVE-2021-23180 (https://ubuntu.com/security/CVE-2021-23180):
> 
> A flaw was found in htmldoc in v1.9.12 and before. Null pointer dereference
> in file_extension(),in file.c may lead to execute arbitrary code and denial
> of service.
> 
> CVE-2021-23191 (https://ubuntu.com/security/CVE-2021-23191):
> 
> A security issue was found in htmldoc v1.9.12 and before. A NULL pointer
> dereference in the function image_load_jpeg() in image.cxx may result in
> denial of service.
> 
> CVE-2021-23206 (https://ubuntu.com/security/CVE-2021-23206):
> 
> A flaw was found in htmldoc in v1.9.12 and prior. A stack buffer overflow in
> parse_table() in ps-pdf.cxx may lead to execute arbitrary code and denial of
> service.

https://github.com/michaelrsweet/htmldoc/issues/416
https://github.com/michaelrsweet/htmldoc/issues/418
https://github.com/michaelrsweet/htmldoc/issues/415

Patches are in 1.9.12, contrary to CVE description.
Comment 17 John Helmert III gentoo-dev Security 2022-03-04 03:07:46 UTC
CVE-2021-26259 (https://github.com/michaelrsweet/htmldoc/issues/417):

A flaw was found in htmldoc in v1.9.12. Heap buffer overflow in render_table_row(),in ps-pdf.cxx may lead to arbitrary code execution and denial of service.

CVE-2021-26948 (https://github.com/michaelrsweet/htmldoc/issues/410):

Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file.

Fixes in 1.9.12.
Comment 18 John Helmert III gentoo-dev Security 2022-03-19 02:41:56 UTC
CVE-2021-23158 (https://github.com/michaelrsweet/htmldoc/issues/414):
https://bugzilla.redhat.com/show_bug.cgi?id=1967018

A flaw was found in htmldoc in v1.9.12. Double-free in function pspdf_export(),in ps-pdf.cxx may result in a write-what-where condition, allowing an attacker to execute arbitrary code and denial of service.

CVE-2021-23165 (https://github.com/michaelrsweet/htmldoc/issues/413):
https://bugzilla.redhat.com/show_bug.cgi?id=1967014

A flaw was found in htmldoc before v1.9.12. Heap buffer overflow in pspdf_prepare_outpages(), in ps-pdf.cxx may lead to execute arbitrary code and denial of service.
Comment 19 John Helmert III gentoo-dev Security 2022-04-04 15:46:06 UTC
CVE-2022-24191 (https://github.com/michaelrsweet/htmldoc/issues/470):

In HTMLDOC 1.9.14, an infinite loop in the gif_read_lzw function can lead to a pointer arbitrarily pointing to heap memory and resulting in a buffer overflow.
Comment 20 John Helmert III gentoo-dev Security 2022-05-02 20:14:43 UTC
CVE-2022-28085 (https://github.com/michaelrsweet/htmldoc/commit/46c8ec2b9bccb8ccabff52d998c5eee77a228348):

A flaw was found in htmldoc commit 31f7804. A heap buffer overflow in the function pdf_write_names in ps-pdf.cxx may lead to arbitrary code execution and Denial of Service (DoS).
Comment 21 John Helmert III gentoo-dev Security 2022-05-12 02:55:21 UTC
CVE-2022-27114 (https://github.com/michaelrsweet/htmldoc/commit/31f780487e5ddc426888638786cdc47631687275):
https://github.com/michaelrsweet/htmldoc/issues/471

There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg function image.cxx when it calls malloc,'img->width' and 'img->height' they are large enough to cause an integer overflow. So, the malloc function may return a heap blosmaller than the expected size, and it will cause a buffer overflow/Address boundary error in the jpeg_read_scanlines function.