Poppler is a widely-used open-source PDF rendering library. It’s found in countless Linux systems (as the engine behind tools like pdftotext and Okular) and used in many server-side and desktop applications for handling PDF files. In July 2022, a security vulnerability registered as CVE-2022-37052 was disclosed that affects Poppler version 22.07.. This bug allows attackers to cause a Denial of Service (DoS) by taking advantage of a reachable assertion in the Object::getString function.

Below, I’ll explain what the bug is, how it works, see a sample exploit, and reference original researcher notes for further reading.

What Is CVE-2022-37052? (The Simple Version)

At its core, this issue is a programming error in Poppler: when certain PDF objects are processed, Poppler mistakenly assumes an object is a string. If a specially crafted PDF file tricks Poppler into running the Object::getString method on something that isn’t actually a string, Poppler hits a failed assumption and crashes.

Specifically, in Poppler’s code, there’s a markObject function. If markObject returns incorrectly, and later code tries to use getString (expecting a string object), an assertion will fail, leading to a crash. Attackers can exploit this by making a booby-trapped PDF file—when you open it, the application or tool simply exits or crashes.

This isn’t a bug that lets someone run code on your system. But, if you are running Poppler as a PDF-to-text processor in the background (like in a web service or email filter), this could be used to take those systems offline by causing repeated crashes.

Where Is the Vulnerability?

The dangerous code lies around how Poppler marks and parses PDF objects. Here’s a simplified snippet, focusing on the vulnerable pattern:

Object obj;
...
if (markObject(obj)) { // Marking the object
    // Dangerous assumption: obj is a string!
    const GooString *str = obj.getString(); // Vulnerable to assertion failure if not actually a string
    ...
}

If an attacker crafts a PDF where markObject returns success for a non-string object, getString() will hit an assertion and abort the program.

Have Poppler execute getString on this object, causing a crash.

An actual exploit is simple: just open the malicious PDF file with any application using an unpatched Poppler 22.07., and the application will crash.

Example: Malicious PDF Snippet

Here’s a highly-simplified look at what part of a malicious PDF object might look like (*actual crafting requires PDF internals knowledge, but this is for illustration*):

%PDF-1.7
1  obj
  <<
    /Type /Example
    /FakeString 1  R % Reference to self or to a non-string
  >>
endobj

If the Poppler parser is tricked into treating /FakeString as a string with the value being an indirect reference (which is invalid), getString() crashes because it gets an object of a different type.

Proof of Crash (pseudo-bash, using pdftotext)

$ pdftotext malicious.pdf 
pdftotext: poppler/Object.h:123: const GooString* Object::getString() const: Assertion `type == objString' failed.
Aborted (core dumped)

Original References and Further Reading

- CVE-2022-37052 – NIST National Vulnerability Database
- Poppler Changelog (upstream fix) — (the upstream patch for the assertion error)
- Exploit database entry — (includes a crafted PDF sample)

How is it Fixed?

The Poppler team quickly patched this by making sure types are checked before calling methods like getString(), so such mis-handling won’t happen even if the PDF file is invalid or malicious.

The fix can be seen in this Git commit.

If you package or use Poppler (or any tool using it), upgrade to the newest patched version.

- If you run shared PDF services, make sure to run software as a non-privileged user, apply resource limits, and upgrade your packages.

Conclusion

CVE-2022-37052 is a stark reminder that even robust open-source libraries can have small code assumptions that cause big headaches. While it doesn’t allow remote code execution, denial-of-service can be serious for automated PDF processing pipelines or web services. Upgrading and proper sandboxing are your best tools for defense.

Timeline

Published on: 08/22/2023 19:16:00 UTC
Last modified on: 08/25/2023 20:17:00 UTC