It has been discovered that Poppler 22.07., a PDF rendering library used by several popular applications, contains a vulnerable implementation related to PDFDoc::savePageAs in PDFDoc.c, which allows malicious actors to craft a PDF file that can cause the application to crash with a SIGABRT error. This can effectively lead to denial-of-service (DoS) attacks. It should be noted that this issue stems from the incomplete fix of CVE-2018-20662.

Details

The vulnerability exists in the PDFDoc::savePageAs method as a result of the incorrect handling of cross-reference (xref) data structures during getCatalog processing. A crafted PDF file with a specially manipulated xref table can cause the application to terminate (due to the abort signal SIGABRT), affecting the availability of the service.

Here's a code snippet highlighting the problematic area in Poppler's PDFDoc.c

void PDFDoc::savePageAs(int pageNo, const char *xmlOutputfile) {
  ...
  for (int i = 1; i <= getNumPages(); ++i) {
    ...
    obj1 = catalogObj.dictFetch("Pages");
    ...
    int res = addObjectToSet(&pagesSet, obj1.getRef());
    if (res != -1) {
      ...
    }
  }
  ...
}

This code iterates through the pages of a PDF document and fetches the "Pages" object from the catalog dictionary. However, it doesn't ensure that this object's reference is actually valid within the xref table. A maliciously crafted PDF could make the addObjectToSet function return -1, which would consequently lead to the SIGABRT error.

The known exploit demonstrates that an attacker can purposely create a PDF file, which, upon processing, will crash the target application, such as Evince or Okular, using Poppler as their PDF rendering library.

Original references for this vulnerability can be found here

1. CVE-2022-37050 NVD Information
2. Poppler's GitHub Repository
3. Previous CVE-2018-20662 Improper Fix

Impact and Mitigation

An attacker who successfully exploits this vulnerability can compromise the availability of the affected application, leading to denial-of-service. This poses a significant risk to any application using the Poppler library for rendering PDF files. Users are advised to update to the latest version of Poppler or a fixed version, once it is released.

As a temporary mitigation, users can avoid opening untrusted PDF files with applications using the vulnerable Poppler version. This reduces the attack surface considerably. Developers should also apply proper input validation and error handling mechanisms, such as try-catch blocks, and invalid xref object checks to ensure their application exhibits robust behavior in the face of malformed input data.

Conclusion

CVE-2022-37050 is a denial-of-service vulnerability found in Poppler 22.07. involving the improper handling of cross-reference data structures in PDFDoc's savePageAs function. Users and developers are urged to update to the latest Poppler version or apply appropriate mitigations as soon as possible, given the widespread use of Poppler in popular PDF readers and rendering libraries.

Timeline

Published on: 08/22/2023 19:16:00 UTC
Last modified on: 10/16/2023 14:15:00 UTC