Skip to content
Branch: master
Find file History
Pull request Compare This branch is 1 commit ahead, 3 commits behind mudongliang:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
00215-podofo-invalidread-colorchanger-cpp
README.md

README.md

CVE-2017-6840

Experiment Environment

Ubuntu 14.04 LTS

INSTALL & Configuration

download PoDoFo from sourceforge
tar xvf podofo.tar.gz
cd podofo 
mkdir build
cmake -G "Unix Makefiles" -DCMAKE_INSTALL_PREFIX="`pwd`/../podofo" -DCMAKE_BUILD_TYPE=Debug ..
make
make install

Problems in Installation & Configuration

CMake Error at /usr/share/cmake-2.8/Modules/FindPackageHandleStandardArgs.cmake:108 (message):
Could NOT find FREETYPE (missing: FREETYPE_LIBRARY FREETYPE_INCLUDE_DIR)

sudo apt-get install libfreetype6-dev

Could not find fontconfig

sudo apt-get install libfontconfig1-dev

CMake Error at CMakeLists.txt:36 (CMAKE_POLICY): Policy "CMP0033" is not known to this version of CMake.

solution 1: use higher version cmake solution 2: delete CMakeLists.txt:36

How to trigger vulnerability

podofocolor dummy $FILE foo

PoCs

Inside the folder

Vulnerability Details & Patch

Root Cause

Stack Trace

==9073==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffffe0 (pc 0x000000537d67 bp 0x7ffc54cb3c50 sp 0x7ffc54cb3ba0 T0)
==9073==The signal is caused by a READ memory access.
    #0 0x537d66 in ColorChanger::GetColorFromStack(int, std::vector<PoDoFo::PdfVariant, std::allocator >&) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:416:32
    #1 0x530d50 in ColorChanger::ProcessColor(ColorChanger::EKeywordType, int, std::vector<PoDoFo::PdfVariant, std::allocator >&, GraphicsStack&) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:449:28
    #2 0x52c2a9 in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:214:31
    #3 0x526921 in ColorChanger::start() /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:120:15
    #4 0x523b8d in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/podofocolor.cpp:116:12
    #5 0x7f36fe7fe78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x4300e8 in _start (/usr/bin/podofocolor+0x4300e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:416:32 in ColorChanger::GetColorFromStack(int, std::vector<PoDoFo::PdfVariant, std::allocator >&)
==9073==ABORTING

References

https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp/

You can’t perform that action at this time.